3af83b9fd6d44e79d3cb01decd565cec0fd5db872de3aec1831babd436fcb226

Analysis

max time kernel
72s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testingflrplgpreg-main/zapretka.exe
Size

1.3MB
MD5

80c93e18eb2b5afecb20193abbd53804
SHA1

7f2f37bbb20b5cd0f353bec950e80b3a7129b4a3
SHA256

7cea393fe83fa489ce72e45ca6fdaeac0d86061f298a090ac4ac0a0c21d78ccf
SHA512

f3545d1a6adab75908d67bfafb4a40253d5066f292cb44f69f3faa12c7526733d90b65e7402d9841ae18c60b701c8f3d7e9ff4cb6f5abb2c22f7edb65ad5baff
SSDEEP

24576:75v4DT3ehpVLtT43PnMV2sES1Sw4stLNzpV7kIZIT+EvhLhTYDyVuCWN/+:dqTapX6024Yw4sBdpcphLhTWhH+

Score

8^/10

execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1984 powershell.exe
2976 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

winws.exe

pid process

2932 winws.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exewinws.exe

pid process

2420 cmd.exe
2940
2932 winws.exe
2932 winws.exe

pid	process
1984	powershell.exe
2976	powershell.exe

pid	process
2932	winws.exe

pid	process
2420	cmd.exe
2940
2932	winws.exe
2932	winws.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\cygwin1.dll	upx
behavioral19/memory/2932-35-0x000007FEF6AD0000-0x000007FEF6DE2000-memory.dmp	upx
behavioral19/memory/2932-49-0x000007FEF6AD0000-0x000007FEF6DE2000-memory.dmp	upx

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2180 timeout.exe
2788 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1984 powershell.exe
2976 powershell.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
2180	timeout.exe
2788	timeout.exe

pid	process
1984	powershell.exe
2976	powershell.exe

pid	process
460

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exewinws.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeRestorePrivilege	2932	winws.exe
Token: SeBackupPrivilege	2932	winws.exe
Token: SeDebugPrivilege	2932	winws.exe
Token: SeDebugPrivilege	2976	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

zapretka.execmd.exe

description	pid	process	target process
PID 2116 wrote to memory of 2420	2116	zapretka.exe	cmd.exe
PID 2116 wrote to memory of 2420	2116	zapretka.exe	cmd.exe
PID 2116 wrote to memory of 2420	2116	zapretka.exe	cmd.exe
PID 2420 wrote to memory of 1984	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 1984	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 1984	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 2932	2420	cmd.exe	winws.exe
PID 2420 wrote to memory of 2932	2420	cmd.exe	winws.exe
PID 2420 wrote to memory of 2932	2420	cmd.exe	winws.exe
PID 2420 wrote to memory of 2180	2420	cmd.exe	timeout.exe
PID 2420 wrote to memory of 2180	2420	cmd.exe	timeout.exe
PID 2420 wrote to memory of 2180	2420	cmd.exe	timeout.exe
PID 2420 wrote to memory of 2976	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 2976	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 2976	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 2788	2420	cmd.exe	timeout.exe
PID 2420 wrote to memory of 2788	2420	cmd.exe	timeout.exe
PID 2420 wrote to memory of 2788	2420	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\zapretka.exe
"C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\zapretka.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A63E.tmp\A63F.tmp\A640.bat C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\zapretka.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://raw.githubusercontent.com/BaksVoronov/testingflrplgpreg/refs/heads/main/list-baks.txt -OutFile list-baks.txt"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe
    "C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe" --wf-tcp=80,443 --wf-udp=443 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\quic_initial_www_google_com.bin" --new --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=11 --new --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\autohostlist.txt" --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\tls_clienthello_www_google_com.bin" --new --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\autohostlist.txt" --wf-tcp=443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-fake-quic="quic_initial_www_google_com.bin" --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="tls_clienthello_www_google_com.bin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:2180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A63E.tmp\A63F.tmp\A640.bat

Filesize
1KB

MD5
a716185eca513fe44390da2724789e99

SHA1
75ba0f37ddd4d4370b54b0bd67816c7785a48da8

SHA256
1d8b6b2e401e86b1fb3563bb84303ab1e70473da6d5f36ac23ad8d67ae7c6204

SHA512
48df1196702dbe0d99213ecfbe23ed5f90734399a1fc2ea25a085d47f8fd902302f63cc2389260e195a9bc5ad9c019107e7f0bacf15f10df5bbd7d02b4974e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\cygwin1.dll

Filesize
998KB

MD5
c50b50303fae4afe7248307339a00d13

SHA1
1b4a3f7666172809bd0d88f793ee855bd4b92938

SHA256
712c39a069541afa69cfcbe01b422bd67b4201eee7e94cc1327d4ed8b4fa2167

SHA512
123d06a0a5f891851e372881860b9d7fb8c453dcdbbca5970b9b2bf205f08f0a724595c6892f4afbbb4f85292a886dddffbf0d36dfe18d4b6eea7a5d12451762

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\quic_initial_www_google_com.bin

Filesize
1KB

MD5
312526d39958d89b1f8ab67789ab985f

SHA1
49a06ceebb13807faaf2a935a716127faff9864d

SHA256
f4589c57749f956bb30538197a521d7005f8b0a8723b4707e72405e51ddac50a

SHA512
472e88fdd60f9c67f784514a6b699bbefac257657f53a9682a864c0ced474b33f89cf14eb112226ebc9b2c6b07a8f2ec9b25010ccdf98c13370c5c9c6dc2b893

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\tls_clienthello_www_google_com.bin

Filesize
652B

MD5
7ab7ad857c5b8794fbdf1091b494dc94

SHA1
126cb834f83f1880ca254e010f861b72d58c3fcd

SHA256
e5938780152169f720383f80eabb309e9477369b83b5ec40cc137c397f862cde

SHA512
b6767e5c4629447e3cd579813cc431cfb9f82fb7031314835c7db0e56946dae82e123cea8911be18b70e8fdc4a039c822770da2a9eaed60eca92a3d064f03f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe

Filesize
234KB

MD5
8c624e64742bc19447d52f61edec52db

SHA1
1e700e2dd61b5d566a651433dc86bd95a6d54449

SHA256
13fd7a9c6f7c98239a61a212f69211a0f19159b2e8cdae8b1efc57d35cdcd5ad

SHA512
f676f7aa863fd13494186d4be597c19e49dc8245f6a98a2e9e2f1d09aa9e4cbf7a87c552e49359347b24b46cd1eddfb6edcfcbd6f4ff4d24888831ff182c952a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
432065361f0e7e3556f688cf46122c52

SHA1
01cd84e6190424734daca0fa0cf22f303ef0329c

SHA256
ee6ac2865e9f87e1e21e91d0e872239ab9f6d98d79599cc61e2a7fab29eb8cda

SHA512
5d3f8cfce9c0e4869a535921ffc8f6957fa0841c0358bdbc5074b90f00af95174e1b1302eb76f6c776d0cfb6b92518d146ed8e2058399d28d84129e7800f958c

Download Submit
\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\WinDivert.dll

Filesize
46KB

MD5
b2014d33ee645112d5dc16fe9d9fcbff

SHA1
aa69498562d350f2de06954b133e59fac1e57002

SHA256
c1e060ee19444a259b2162f8af0f3fe8c4428a1c6f694dce20de194ac8d7d9a2

SHA512
37014a018b9cd91b2eaeeccc7c5af3838fcae4d4fe6bb50c7ae32cd5c99423965a3e3efb29499324f6885b8f0c2ee2952cb75ab73db4e8960811abcb46801f15

Download Submit
memory/1984-21-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-18-0x000007FEF53CE000-0x000007FEF53CF000-memory.dmp

Filesize
4KB

Download
memory/1984-26-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-19-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1984-24-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-23-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-22-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-25-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1984-20-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2932-36-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/2932-35-0x000007FEF6AD0000-0x000007FEF6DE2000-memory.dmp

Filesize
3.1MB

Download
memory/2932-48-0x0000000062800000-0x0000000062813000-memory.dmp

Filesize
76KB

Download
memory/2932-49-0x000007FEF6AD0000-0x000007FEF6DE2000-memory.dmp

Filesize
3.1MB

Download
memory/2932-46-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/2976-44-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/2976-45-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download