f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4

General

Target

yWorAvKu.exe
Size

1.0MB
MD5

acf7ad3cd2ff2f71d7aeaf8a78ee641e
SHA1

2c2dd1a2a5b9703737db85c2f5374955f0af5f06
SHA256

f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4
SHA512

7db0d59d63e9d92c234fb9c374b910c7cfcec972e874a57a41e014d7786dea5da63d7a686750ac73a9c1ed568fff2a1f5426730bc953077c8f7851fb118dfd53
SSDEEP

24576:ZrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9Tva0h5z:Z2EYTb8atv1orq+pEiSDTj1VyvBa0h

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/BagelsTR23

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/PopUp2023TR.pdf

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/jre-1.8.zip

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3036	powershell.exe
7	2756	powershell.exe
8	2816	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3036	powershell.exe
2816	powershell.exe
2756	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1204	yWorAvKu.exe
3036	powershell.exe
2756	powershell.exe
2816	powershell.exe
2756	powershell.exe
2756	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe
1204	yWorAvKu.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2668	AcroRd32.exe
2668	AcroRd32.exe
2668	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 3036	1204	yWorAvKu.exe	30
PID 1204 wrote to memory of 3036	1204	yWorAvKu.exe	30
PID 1204 wrote to memory of 3036	1204	yWorAvKu.exe	30
PID 1204 wrote to memory of 2756	1204	yWorAvKu.exe	32
PID 1204 wrote to memory of 2756	1204	yWorAvKu.exe	32
PID 1204 wrote to memory of 2756	1204	yWorAvKu.exe	32
PID 1204 wrote to memory of 2816	1204	yWorAvKu.exe	33
PID 1204 wrote to memory of 2816	1204	yWorAvKu.exe	33
PID 1204 wrote to memory of 2816	1204	yWorAvKu.exe	33
PID 2756 wrote to memory of 2668	2756	powershell.exe	36
PID 2756 wrote to memory of 2668	2756	powershell.exe	36
PID 2756 wrote to memory of 2668	2756	powershell.exe	36
PID 2756 wrote to memory of 2668	2756	powershell.exe	36

C:\Users\Admin\AppData\Local\Temp\yWorAvKu.exe
"C:\Users\Admin\AppData\Local\Temp\yWorAvKu.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\cKmpIwCkO.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\gJjfhvVkyrFF.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.pdf

Filesize
11KB

MD5
58201ad042b6b286a6dc1a37d71b4742

SHA1
1bf88a6fd953315c7617435b0dadd732d3305678

SHA256
54e35e2363d5f6d6977e4adf74d2f0f72bd5d095574fd93157813bde4c2e1d5d

SHA512
3dc2b64323e151922f7d609dac1da43dc54a5fe245033799a6ea107756f1ac5400378bfdf60bd54854168a249d388f0b1a6719da2b92e6fdf2ee510e1c26953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.ps1

Filesize
534B

MD5
a64028a2acb1c58c00c5242946f58c9c

SHA1
352e26e43c322db3b1643a8ffeb0fad0e5549259

SHA256
c2d9264c4bde6225998c5da0201da0b6c8e7f48121cf55fd837d86ef6d4606fd

SHA512
b1afac1dd3b10308377af2b03cd188aab2810e184b2d019f4bee77b8096fea69ffb37346ded7c13e3868855baf47a7d3cbeca72cc1cd22761c6c5896f123e47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKmpIwCkO.ps1

Filesize
646B

MD5
ab621449b1acc88a3b374eea51d49c9a

SHA1
bbf67121fdafbd76c8eeb7c09f201bf2c1090db7

SHA256
8120e4693352d587b506bff96b066700a6192cfa916090fa6c6ead29c5511aa6

SHA512
847bd5af9c20bc29c0828bb8cb75b8bef2a8cd462d4e12dbb363d54f5e783d1c71006171fe4e78d3a9dfca9a56385422a8468d52692be40b97f41e0b0e4a21f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJjfhvVkyrFF.ps1

Filesize
1KB

MD5
dd4cd8a5a68c798ff62b7f9f0ec5e724

SHA1
6531ce5997564834f3c6341639af46c23bbdd3ab

SHA256
1337813ba48522510ee97329f25325813f82592b4c8ca53bc6fa864484366184

SHA512
44b866a549487144ffa6338b4600ba75f5eecebcf60c2027cd90f27216c009548532c64e2088fd444b20828abb2ae31b0632d2f883e95c8a3a2ce05c0c2d6529

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0fc15e980cb4a3e4668153e1b2e0d6c7

SHA1
de36c9f618144bbdb74c3e55a2c7844090dc9a4e

SHA256
04727eeb11d82b576159f930be94f6d0e6455e4f15f3e7efb6f84441823c4ffe

SHA512
337c1f7053da74fa3a62d47689857e85e75542aa032d8a007d969865f1bf090b2a9fa306fa5f5e8272acedfd0d49e045ed60142de30666d99aa658e58db83fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GW5TP6THSFCH818KJY35.temp

Filesize
7KB

MD5
fe098973ec1c54b0b39f1deceb1f2df2

SHA1
b4018e08c8a1980215456233176a0d2728844656

SHA256
70e0771ace1fd8c39659943d8d03c18637e5ae5b04f9536c2a838350a49283e6

SHA512
715b4d43b6f9f887f273e92f89d4867381c64334451ec2ef1d3c41fdb572ba141f0908605d2483802231d54bccb3968198ca0a137cac60197f554add96f47396

Download Submit
memory/2756-25-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2756-26-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/3036-11-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-15-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-13-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-12-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-5-0x000007FEF611E000-0x000007FEF611F000-memory.dmp

Filesize
4KB

Download
memory/3036-10-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-8-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-7-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/3036-6-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads