3af83b9fd6d44e79d3cb01decd565cec0fd5db872de3aec1831babd436fcb226

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testingflrplgpreg-main/baks-zapret.exe
Size

1.3MB
MD5

2cbf4b1ef30e6156b41f78cff4040287
SHA1

6e1968746690e6a4189c9c3a30168654445701c8
SHA256

7f40eaffe324e40a3d39b6d960c010be914243de7b05554716ed9c4900bb188c
SHA512

3ba5c15bccabaa740044664a98b0e27cebe95c3df2ce3a14a70d8929c3dfe27f9c01e6e66647cacf9b9f30f36ca4bfe8d1cad6a97601ab413f79c9be771878e1
SSDEEP

24576:l1eTCF7g2E9sb/uxNTMgyz+BcLDbPkACQjh/ZGx:eTU2Mgyz+BcnbPkcU

Score

8^/10

execution upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 1836 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2960 powershell.exe
1836 powershell.exe

flow	pid	process
8	1836	powershell.exe

pid	process
2960	powershell.exe
1836	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

baks-zapret.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	baks-zapret.exe

Executes dropped EXE 1 IoCs

Processes:

winws.exe

pid process

1996 winws.exe
Loads dropped DLL 2 IoCs

Processes:

winws.exe

pid process

1996 winws.exe
1996 winws.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 raw.githubusercontent.com
8 raw.githubusercontent.com

pid	process
1996	winws.exe

pid	process
1996	winws.exe
1996	winws.exe

flow	ioc
5	raw.githubusercontent.com
8	raw.githubusercontent.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\cygwin1.dll	upx
behavioral12/memory/1996-59-0x00007FFF10E00000-0x00007FFF11112000-memory.dmp	upx
behavioral12/memory/1996-68-0x00007FFF10E00000-0x00007FFF11112000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1836 powershell.exe
1836 powershell.exe
2960 powershell.exe
2960 powershell.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
1836	powershell.exe
1836	powershell.exe
2960	powershell.exe
2960	powershell.exe

pid	process
656

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exewinws.exe

description	pid	process
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeRestorePrivilege	1996	winws.exe
Token: SeBackupPrivilege	1996	winws.exe
Token: SeDebugPrivilege	1996	winws.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

baks-zapret.execmd.exe

description	pid	process	target process
PID 5000 wrote to memory of 3408	5000	baks-zapret.exe	cmd.exe
PID 5000 wrote to memory of 3408	5000	baks-zapret.exe	cmd.exe
PID 3408 wrote to memory of 1836	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 1836	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 1996	3408	cmd.exe	winws.exe
PID 3408 wrote to memory of 1996	3408	cmd.exe	winws.exe
PID 3408 wrote to memory of 2960	3408	cmd.exe	powershell.exe
PID 3408 wrote to memory of 2960	3408	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\baks-zapret.exe
"C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\baks-zapret.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B5A4.tmp\B5A5.tmp\B5A6.bat C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\baks-zapret.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://raw.githubusercontent.com/BaksVoronov/testingflrplgpreg/refs/heads/main/list-baks.txt -OutFile list-baks.txt"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe
    "C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe" --wf-tcp=80,443 --wf-udp=443 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\quic_initial_www_google_com.bin" --new --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=11 --new --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\autohostlist.txt" --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\tls_clienthello_www_google_com.bin" --new --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\autohostlist.txt" --wf-tcp=443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-fake-quic="quic_initial_www_google_com.bin" --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="tls_clienthello_www_google_com.bin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5A4.tmp\B5A5.tmp\B5A6.bat

Filesize
1KB

MD5
e7bad7723fb2fdb047cc01d4b24266e9

SHA1
e3a1d89f8e507c0ecae2b13c1cd8fa4b037359ee

SHA256
70039567c6ef42ebacf518a349346e7c9b513087e90fd062a1d970b43b3fd867

SHA512
dbfb8c066218409e7c7746cdef2979f2a1990c03d32866751204dc6df35e15d332afeaaaa2e5e66bc59de07a607b36f798c93797f8ca3a26e1065b610e7127b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxtykcuw.aqp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\WinDivert.dll

Filesize
46KB

MD5
b2014d33ee645112d5dc16fe9d9fcbff

SHA1
aa69498562d350f2de06954b133e59fac1e57002

SHA256
c1e060ee19444a259b2162f8af0f3fe8c4428a1c6f694dce20de194ac8d7d9a2

SHA512
37014a018b9cd91b2eaeeccc7c5af3838fcae4d4fe6bb50c7ae32cd5c99423965a3e3efb29499324f6885b8f0c2ee2952cb75ab73db4e8960811abcb46801f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\cygwin1.dll

Filesize
998KB

MD5
c50b50303fae4afe7248307339a00d13

SHA1
1b4a3f7666172809bd0d88f793ee855bd4b92938

SHA256
712c39a069541afa69cfcbe01b422bd67b4201eee7e94cc1327d4ed8b4fa2167

SHA512
123d06a0a5f891851e372881860b9d7fb8c453dcdbbca5970b9b2bf205f08f0a724595c6892f4afbbb4f85292a886dddffbf0d36dfe18d4b6eea7a5d12451762

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt

Filesize
3KB

MD5
00d0a325bf3fd4960ad19c467879ad02

SHA1
29ff02864e7f21e94dbd47ff9acc438604f79e2f

SHA256
99a0a3783a1fefec966e3633374887cb8bbe5a467d667a9c0200c89ec7f0c677

SHA512
e764c234db5d8154a5721799af815db6a08e5405c4886a8bb2c971f5ad627b29a14b5b67de85b8f2192c641ea46283e926f77c45ece64603e3fd9445d80d61e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\quic_initial_www_google_com.bin

Filesize
1KB

MD5
312526d39958d89b1f8ab67789ab985f

SHA1
49a06ceebb13807faaf2a935a716127faff9864d

SHA256
f4589c57749f956bb30538197a521d7005f8b0a8723b4707e72405e51ddac50a

SHA512
472e88fdd60f9c67f784514a6b699bbefac257657f53a9682a864c0ced474b33f89cf14eb112226ebc9b2c6b07a8f2ec9b25010ccdf98c13370c5c9c6dc2b893

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\tls_clienthello_www_google_com.bin

Filesize
652B

MD5
7ab7ad857c5b8794fbdf1091b494dc94

SHA1
126cb834f83f1880ca254e010f861b72d58c3fcd

SHA256
e5938780152169f720383f80eabb309e9477369b83b5ec40cc137c397f862cde

SHA512
b6767e5c4629447e3cd579813cc431cfb9f82fb7031314835c7db0e56946dae82e123cea8911be18b70e8fdc4a039c822770da2a9eaed60eca92a3d064f03f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe

Filesize
234KB

MD5
8c624e64742bc19447d52f61edec52db

SHA1
1e700e2dd61b5d566a651433dc86bd95a6d54449

SHA256
13fd7a9c6f7c98239a61a212f69211a0f19159b2e8cdae8b1efc57d35cdcd5ad

SHA512
f676f7aa863fd13494186d4be597c19e49dc8245f6a98a2e9e2f1d09aa9e4cbf7a87c552e49359347b24b46cd1eddfb6edcfcbd6f4ff4d24888831ff182c952a

Download Submit
memory/1836-42-0x00007FFF17920000-0x00007FFF183E1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-38-0x00007FFF17920000-0x00007FFF183E1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-37-0x00007FFF17920000-0x00007FFF183E1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-27-0x0000022AB68D0000-0x0000022AB68F2000-memory.dmp

Filesize
136KB

Download
memory/1836-26-0x00007FFF17923000-0x00007FFF17925000-memory.dmp

Filesize
8KB

Download
memory/1996-60-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/1996-59-0x00007FFF10E00000-0x00007FFF11112000-memory.dmp

Filesize
3.1MB

Download
memory/1996-65-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/1996-68-0x00007FFF10E00000-0x00007FFF11112000-memory.dmp

Filesize
3.1MB

Download
memory/1996-67-0x0000000062800000-0x0000000062813000-memory.dmp

Filesize
76KB

Download