Overview

overview

10

Static

static

10

testingflr...RV.jar

windows7-x64

1

testingflr...RV.jar

windows10-2004-x64

1

testingflr...02.jar

windows7-x64

1

testingflr...02.jar

windows10-2004-x64

1

testingflr...98.jar

windows7-x64

1

testingflr...98.jar

windows10-2004-x64

1

testingflr....5.jar

windows7-x64

1

testingflr....5.jar

windows10-2004-x64

1

testingflr...lt.jar

windows7-x64

1

testingflr...lt.jar

windows10-2004-x64

1

testingflr...et.exe

windows7-x64

8

testingflr...et.exe

windows10-2004-x64

8

testingflr...r1.exe

windows7-x64

10

testingflr...r1.exe

windows10-2004-x64

10

testingflr...ns.jar

windows7-x64

1

testingflr...ns.jar

windows10-2004-x64

1

testingflr...ter.sh

windows7-x64

3

testingflr...ter.sh

windows10-2004-x64

3

testingflr...ka.exe

windows7-x64

8

testingflr...ka.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 01:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    testingflrplgpreg-main/baks-zapret.exe

  • Size

    1.3MB

  • MD5

    2cbf4b1ef30e6156b41f78cff4040287

  • SHA1

    6e1968746690e6a4189c9c3a30168654445701c8

  • SHA256

    7f40eaffe324e40a3d39b6d960c010be914243de7b05554716ed9c4900bb188c

  • SHA512

    3ba5c15bccabaa740044664a98b0e27cebe95c3df2ce3a14a70d8929c3dfe27f9c01e6e66647cacf9b9f30f36ca4bfe8d1cad6a97601ab413f79c9be771878e1

  • SSDEEP

    24576:l1eTCF7g2E9sb/uxNTMgyz+BcLDbPkACQjh/ZGx:eTU2Mgyz+BcnbPkcU

Score
8/10
executionupx

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\baks-zapret.exe
    "C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\baks-zapret.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\583E.tmp\583F.tmp\5840.bat C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\baks-zapret.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest https://raw.githubusercontent.com/BaksVoronov/testingflrplgpreg/refs/heads/main/list-baks.txt -OutFile list-baks.txt"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2184
      • C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe
        "C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe" --wf-tcp=80,443 --wf-udp=443 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\quic_initial_www_google_com.bin" --new --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=11 --new --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\autohostlist.txt" --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\tls_clienthello_www_google_com.bin" --new --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\autohostlist.txt" --wf-tcp=443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-fake-quic="quic_initial_www_google_com.bin" --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="tls_clienthello_www_google_com.bin"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:2560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\583E.tmp\583F.tmp\5840.bat
    Filesize

    1KB

    MD5

    e7bad7723fb2fdb047cc01d4b24266e9

    SHA1

    e3a1d89f8e507c0ecae2b13c1cd8fa4b037359ee

    SHA256

    70039567c6ef42ebacf518a349346e7c9b513087e90fd062a1d970b43b3fd867

    SHA512

    dbfb8c066218409e7c7746cdef2979f2a1990c03d32866751204dc6df35e15d332afeaaaa2e5e66bc59de07a607b36f798c93797f8ca3a26e1065b610e7127b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\quic_initial_www_google_com.bin
    Filesize

    1KB

    MD5

    312526d39958d89b1f8ab67789ab985f

    SHA1

    49a06ceebb13807faaf2a935a716127faff9864d

    SHA256

    f4589c57749f956bb30538197a521d7005f8b0a8723b4707e72405e51ddac50a

    SHA512

    472e88fdd60f9c67f784514a6b699bbefac257657f53a9682a864c0ced474b33f89cf14eb112226ebc9b2c6b07a8f2ec9b25010ccdf98c13370c5c9c6dc2b893

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\tls_clienthello_www_google_com.bin
    Filesize

    652B

    MD5

    7ab7ad857c5b8794fbdf1091b494dc94

    SHA1

    126cb834f83f1880ca254e010f861b72d58c3fcd

    SHA256

    e5938780152169f720383f80eabb309e9477369b83b5ec40cc137c397f862cde

    SHA512

    b6767e5c4629447e3cd579813cc431cfb9f82fb7031314835c7db0e56946dae82e123cea8911be18b70e8fdc4a039c822770da2a9eaed60eca92a3d064f03f8e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    0d703f7559bc49c6137f15295f346588

    SHA1

    90fe219888c91e8299a02f3a2571a676dd14e61e

    SHA256

    bb5eb020ae49a6a3b4cd53c8e42c403b7f30988a010e34cc69f9de1be2da7249

    SHA512

    19b45ec39e9d6cbe864ac895fcd33f5b0593081619bfb342df777617df66a177979a4d1245fa6a18dcbd4160ccf890b232e71ec65f380f61da2f368627cbd685

    Download Submit

  • \Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\WinDivert.dll
    Filesize

    46KB

    MD5

    b2014d33ee645112d5dc16fe9d9fcbff

    SHA1

    aa69498562d350f2de06954b133e59fac1e57002

    SHA256

    c1e060ee19444a259b2162f8af0f3fe8c4428a1c6f694dce20de194ac8d7d9a2

    SHA512

    37014a018b9cd91b2eaeeccc7c5af3838fcae4d4fe6bb50c7ae32cd5c99423965a3e3efb29499324f6885b8f0c2ee2952cb75ab73db4e8960811abcb46801f15

    Download Submit

  • \Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\cygwin1.dll
    Filesize

    998KB

    MD5

    c50b50303fae4afe7248307339a00d13

    SHA1

    1b4a3f7666172809bd0d88f793ee855bd4b92938

    SHA256

    712c39a069541afa69cfcbe01b422bd67b4201eee7e94cc1327d4ed8b4fa2167

    SHA512

    123d06a0a5f891851e372881860b9d7fb8c453dcdbbca5970b9b2bf205f08f0a724595c6892f4afbbb4f85292a886dddffbf0d36dfe18d4b6eea7a5d12451762

    Download Submit

  • \Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe
    Filesize

    234KB

    MD5

    8c624e64742bc19447d52f61edec52db

    SHA1

    1e700e2dd61b5d566a651433dc86bd95a6d54449

    SHA256

    13fd7a9c6f7c98239a61a212f69211a0f19159b2e8cdae8b1efc57d35cdcd5ad

    SHA512

    f676f7aa863fd13494186d4be597c19e49dc8245f6a98a2e9e2f1d09aa9e4cbf7a87c552e49359347b24b46cd1eddfb6edcfcbd6f4ff4d24888831ff182c952a

    Download Submit

  • memory/2184-35-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2184-32-0x0000000001E00000-0x0000000001E08000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2184-36-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2184-30-0x000007FEF58DE000-0x000007FEF58DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2184-34-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2184-31-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2184-33-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2184-37-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2560-47-0x0000000100400000-0x0000000100446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2560-46-0x000007FEF5CA0000-0x000007FEF5FB2000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2560-60-0x000007FEF5CA0000-0x000007FEF5FB2000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2560-59-0x0000000062800000-0x0000000062813000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2560-57-0x0000000100400000-0x0000000100446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2664-55-0x000000001B620000-0x000000001B902000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2664-56-0x0000000002790000-0x0000000002798000-memory.dmp

    Filesize

    32KB

    Download