3af83b9fd6d44e79d3cb01decd565cec0fd5db872de3aec1831babd436fcb226

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

testingflrplgpreg-main/zapretka.exe
Size

1.3MB
MD5

80c93e18eb2b5afecb20193abbd53804
SHA1

7f2f37bbb20b5cd0f353bec950e80b3a7129b4a3
SHA256

7cea393fe83fa489ce72e45ca6fdaeac0d86061f298a090ac4ac0a0c21d78ccf
SHA512

f3545d1a6adab75908d67bfafb4a40253d5066f292cb44f69f3faa12c7526733d90b65e7402d9841ae18c60b701c8f3d7e9ff4cb6f5abb2c22f7edb65ad5baff
SSDEEP

24576:75v4DT3ehpVLtT43PnMV2sES1Sw4stLNzpV7kIZIT+EvhLhTYDyVuCWN/+:dqTapX6024Yw4sBdpcphLhTWhH+

Score

8^/10

execution upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2740 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2740 powershell.exe
2956 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

winws.exe

pid process

2492 winws.exe
Loads dropped DLL 2 IoCs

Processes:

winws.exe

pid process

2492 winws.exe
2492 winws.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 raw.githubusercontent.com
4 raw.githubusercontent.com

flow	pid	process
4	2740	powershell.exe

pid	process
2740	powershell.exe
2956	powershell.exe

pid	process
2492	winws.exe

pid	process
2492	winws.exe
2492	winws.exe

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\cygwin1.dll	upx
behavioral20/memory/2492-37-0x00007FFAC9260000-0x00007FFAC9572000-memory.dmp	upx
behavioral20/memory/2492-44-0x00007FFAC9260000-0x00007FFAC9572000-memory.dmp	upx

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3936 timeout.exe
3976 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2740 powershell.exe
2740 powershell.exe
2956 powershell.exe
2956 powershell.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
3936	timeout.exe
3976	timeout.exe

pid	process
2740	powershell.exe
2740	powershell.exe
2956	powershell.exe
2956	powershell.exe

pid	process
660

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exewinws.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeRestorePrivilege	2492	winws.exe
Token: SeBackupPrivilege	2492	winws.exe
Token: SeDebugPrivilege	2492	winws.exe
Token: SeDebugPrivilege	2956	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

zapretka.execmd.exe

description	pid	process	target process
PID 2584 wrote to memory of 3760	2584	zapretka.exe	cmd.exe
PID 2584 wrote to memory of 3760	2584	zapretka.exe	cmd.exe
PID 3760 wrote to memory of 2740	3760	cmd.exe	powershell.exe
PID 3760 wrote to memory of 2740	3760	cmd.exe	powershell.exe
PID 3760 wrote to memory of 2492	3760	cmd.exe	winws.exe
PID 3760 wrote to memory of 2492	3760	cmd.exe	winws.exe
PID 3760 wrote to memory of 3936	3760	cmd.exe	timeout.exe
PID 3760 wrote to memory of 3936	3760	cmd.exe	timeout.exe
PID 3760 wrote to memory of 2956	3760	cmd.exe	powershell.exe
PID 3760 wrote to memory of 2956	3760	cmd.exe	powershell.exe
PID 3760 wrote to memory of 3976	3760	cmd.exe	timeout.exe
PID 3760 wrote to memory of 3976	3760	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\zapretka.exe
"C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\zapretka.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8666.tmp\8667.tmp\8668.bat C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\zapretka.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://raw.githubusercontent.com/BaksVoronov/testingflrplgpreg/refs/heads/main/list-baks.txt -OutFile list-baks.txt"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe
    "C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe" --wf-tcp=80,443 --wf-udp=443 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake --dpi-desync-repeats=11 --dpi-desync-fake-quic="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\quic_initial_www_google_com.bin" --new --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=11 --new --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\autohostlist.txt" --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\tls_clienthello_www_google_com.bin" --new --dpi-desync=fake,disorder2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --hostlist-auto="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\autohostlist.txt" --wf-tcp=443 --wf-udp=443,50000-65535 --filter-udp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake --dpi-desync-udplen-increment=10 --dpi-desync-repeats=6 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="quic_initial_www_google_com.bin" --new --filter-udp=50000-65535 --dpi-desync=fake,tamper --dpi-desync-any-protocol --dpi-desync-fake-quic="quic_initial_www_google_com.bin" --new --filter-tcp=443 --hostlist="C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt" --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="tls_clienthello_www_google_com.bin"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:3936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\system32\timeout.exe
    timeout /T 5
    3⤵
    - Delays execution with timeout.exe
    PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5c074e56305e761d7cbc42993300e1c

SHA1
39b2e23ba5c56b4f332b3607df056d8df23555bf

SHA256
e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953

SHA512
c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8666.tmp\8667.tmp\8668.bat

Filesize
1KB

MD5
a716185eca513fe44390da2724789e99

SHA1
75ba0f37ddd4d4370b54b0bd67816c7785a48da8

SHA256
1d8b6b2e401e86b1fb3563bb84303ab1e70473da6d5f36ac23ad8d67ae7c6204

SHA512
48df1196702dbe0d99213ecfbe23ed5f90734399a1fc2ea25a085d47f8fd902302f63cc2389260e195a9bc5ad9c019107e7f0bacf15f10df5bbd7d02b4974e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bdxdsajr.ujf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\WinDivert.dll

Filesize
46KB

MD5
b2014d33ee645112d5dc16fe9d9fcbff

SHA1
aa69498562d350f2de06954b133e59fac1e57002

SHA256
c1e060ee19444a259b2162f8af0f3fe8c4428a1c6f694dce20de194ac8d7d9a2

SHA512
37014a018b9cd91b2eaeeccc7c5af3838fcae4d4fe6bb50c7ae32cd5c99423965a3e3efb29499324f6885b8f0c2ee2952cb75ab73db4e8960811abcb46801f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\cygwin1.dll

Filesize
998KB

MD5
c50b50303fae4afe7248307339a00d13

SHA1
1b4a3f7666172809bd0d88f793ee855bd4b92938

SHA256
712c39a069541afa69cfcbe01b422bd67b4201eee7e94cc1327d4ed8b4fa2167

SHA512
123d06a0a5f891851e372881860b9d7fb8c453dcdbbca5970b9b2bf205f08f0a724595c6892f4afbbb4f85292a886dddffbf0d36dfe18d4b6eea7a5d12451762

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\list-baks.txt

Filesize
3KB

MD5
00d0a325bf3fd4960ad19c467879ad02

SHA1
29ff02864e7f21e94dbd47ff9acc438604f79e2f

SHA256
99a0a3783a1fefec966e3633374887cb8bbe5a467d667a9c0200c89ec7f0c677

SHA512
e764c234db5d8154a5721799af815db6a08e5405c4886a8bb2c971f5ad627b29a14b5b67de85b8f2192c641ea46283e926f77c45ece64603e3fd9445d80d61e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\quic_initial_www_google_com.bin

Filesize
1KB

MD5
312526d39958d89b1f8ab67789ab985f

SHA1
49a06ceebb13807faaf2a935a716127faff9864d

SHA256
f4589c57749f956bb30538197a521d7005f8b0a8723b4707e72405e51ddac50a

SHA512
472e88fdd60f9c67f784514a6b699bbefac257657f53a9682a864c0ced474b33f89cf14eb112226ebc9b2c6b07a8f2ec9b25010ccdf98c13370c5c9c6dc2b893

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\tls_clienthello_www_google_com.bin

Filesize
652B

MD5
7ab7ad857c5b8794fbdf1091b494dc94

SHA1
126cb834f83f1880ca254e010f861b72d58c3fcd

SHA256
e5938780152169f720383f80eabb309e9477369b83b5ec40cc137c397f862cde

SHA512
b6767e5c4629447e3cd579813cc431cfb9f82fb7031314835c7db0e56946dae82e123cea8911be18b70e8fdc4a039c822770da2a9eaed60eca92a3d064f03f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\testingflrplgpreg-main\winws.exe

Filesize
234KB

MD5
8c624e64742bc19447d52f61edec52db

SHA1
1e700e2dd61b5d566a651433dc86bd95a6d54449

SHA256
13fd7a9c6f7c98239a61a212f69211a0f19159b2e8cdae8b1efc57d35cdcd5ad

SHA512
f676f7aa863fd13494186d4be597c19e49dc8245f6a98a2e9e2f1d09aa9e4cbf7a87c552e49359347b24b46cd1eddfb6edcfcbd6f4ff4d24888831ff182c952a

Download Submit
memory/2492-44-0x00007FFAC9260000-0x00007FFAC9572000-memory.dmp

Filesize
3.1MB

Download
memory/2492-37-0x00007FFAC9260000-0x00007FFAC9572000-memory.dmp

Filesize
3.1MB

Download
memory/2492-38-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/2492-43-0x0000000062800000-0x0000000062813000-memory.dmp

Filesize
76KB

Download
memory/2492-42-0x0000000100400000-0x0000000100446000-memory.dmp

Filesize
280KB

Download
memory/2740-30-0x00007FFAC8A60000-0x00007FFAC9521000-memory.dmp

Filesize
10.8MB

Download
memory/2740-26-0x00007FFAC8A60000-0x00007FFAC9521000-memory.dmp

Filesize
10.8MB

Download
memory/2740-25-0x00007FFAC8A60000-0x00007FFAC9521000-memory.dmp

Filesize
10.8MB

Download
memory/2740-15-0x000002545C9C0000-0x000002545C9E2000-memory.dmp

Filesize
136KB

Download
memory/2740-14-0x00007FFAC8A63000-0x00007FFAC8A65000-memory.dmp

Filesize
8KB

Download