f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4

General

Target

yWorAvKu.exe
Size

1.0MB
MD5

acf7ad3cd2ff2f71d7aeaf8a78ee641e
SHA1

2c2dd1a2a5b9703737db85c2f5374955f0af5f06
SHA256

f25d6b99e30f5c689eb4e8112d5fa8a58529aeb36d6d9b7905b9e5eec94bdac4
SHA512

7db0d59d63e9d92c234fb9c374b910c7cfcec972e874a57a41e014d7786dea5da63d7a686750ac73a9c1ed568fff2a1f5426730bc953077c8f7851fb118dfd53
SSDEEP

24576:ZrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9Tva0h5z:Z2EYTb8atv1orq+pEiSDTj1VyvBa0h

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/BagelsTR23

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/jre-1.8.zip

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://93.88.203.116/PopUp2023TR.pdf

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2604	powershell.exe
7	2868	powershell.exe
8	2896	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2604	powershell.exe
2868	powershell.exe
2896	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2348	yWorAvKu.exe
2604	powershell.exe
2868	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1384	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe
2348	yWorAvKu.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1384	AcroRd32.exe
1384	AcroRd32.exe
1384	AcroRd32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2604	2348	yWorAvKu.exe	30
PID 2348 wrote to memory of 2604	2348	yWorAvKu.exe	30
PID 2348 wrote to memory of 2604	2348	yWorAvKu.exe	30
PID 2348 wrote to memory of 2896	2348	yWorAvKu.exe	32
PID 2348 wrote to memory of 2896	2348	yWorAvKu.exe	32
PID 2348 wrote to memory of 2896	2348	yWorAvKu.exe	32
PID 2348 wrote to memory of 2868	2348	yWorAvKu.exe	33
PID 2348 wrote to memory of 2868	2348	yWorAvKu.exe	33
PID 2348 wrote to memory of 2868	2348	yWorAvKu.exe	33
PID 2896 wrote to memory of 1384	2896	powershell.exe	36
PID 2896 wrote to memory of 1384	2896	powershell.exe	36
PID 2896 wrote to memory of 1384	2896	powershell.exe	36
PID 2896 wrote to memory of 1384	2896	powershell.exe	36

C:\Users\Admin\AppData\Local\Temp\yWorAvKu.exe
"C:\Users\Admin\AppData\Local\Temp\yWorAvKu.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\cKmpIwCkO.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\gJjfhvVkyrFF.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.pdf

Filesize
11KB

MD5
58201ad042b6b286a6dc1a37d71b4742

SHA1
1bf88a6fd953315c7617435b0dadd732d3305678

SHA256
54e35e2363d5f6d6977e4adf74d2f0f72bd5d095574fd93157813bde4c2e1d5d

SHA512
3dc2b64323e151922f7d609dac1da43dc54a5fe245033799a6ea107756f1ac5400378bfdf60bd54854168a249d388f0b1a6719da2b92e6fdf2ee510e1c26953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TavnQURwkLXpRU.ps1

Filesize
534B

MD5
a64028a2acb1c58c00c5242946f58c9c

SHA1
352e26e43c322db3b1643a8ffeb0fad0e5549259

SHA256
c2d9264c4bde6225998c5da0201da0b6c8e7f48121cf55fd837d86ef6d4606fd

SHA512
b1afac1dd3b10308377af2b03cd188aab2810e184b2d019f4bee77b8096fea69ffb37346ded7c13e3868855baf47a7d3cbeca72cc1cd22761c6c5896f123e47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKmpIwCkO.ps1

Filesize
646B

MD5
ab621449b1acc88a3b374eea51d49c9a

SHA1
bbf67121fdafbd76c8eeb7c09f201bf2c1090db7

SHA256
8120e4693352d587b506bff96b066700a6192cfa916090fa6c6ead29c5511aa6

SHA512
847bd5af9c20bc29c0828bb8cb75b8bef2a8cd462d4e12dbb363d54f5e783d1c71006171fe4e78d3a9dfca9a56385422a8468d52692be40b97f41e0b0e4a21f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJjfhvVkyrFF.ps1

Filesize
1KB

MD5
dd4cd8a5a68c798ff62b7f9f0ec5e724

SHA1
6531ce5997564834f3c6341639af46c23bbdd3ab

SHA256
1337813ba48522510ee97329f25325813f82592b4c8ca53bc6fa864484366184

SHA512
44b866a549487144ffa6338b4600ba75f5eecebcf60c2027cd90f27216c009548532c64e2088fd444b20828abb2ae31b0632d2f883e95c8a3a2ce05c0c2d6529

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
a2451738b524cc91f0ab07edf7ddedc3

SHA1
e7c5b56a7e977f619e8320013f64e458aadb6750

SHA256
5d1f3a9b00c217bbdcc3818f6fbc76900ba55945b23cad4cad4192fb0313ca16

SHA512
1ed7be1a13ef4dfcc416d765aeb4f5291390a98b57cc71b4abacf1e98f210750024434d535146acd97c253c725b07e5b788f9efe3de6efa00a08aa24a51b19c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f10496c6da2c8c1542f74b99103d0ecf

SHA1
2bed59d9a6f1e7148e23133dbd4fecd1449f62c2

SHA256
6da1e5c889737a787c2a9e2e1e6147333e95217628fd13eaefa9863a8e09f2f3

SHA512
da71824b0f947ee363a48993b0b056836641666323a896ca289e12a5fe3d9e69af3766b03a3bee6b4cb05882dbb9658576bc34e39eff8778743dbf73ec3c7253

Download Submit
memory/2604-7-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2604-12-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-13-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-15-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-10-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-9-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-5-0x000007FEF630E000-0x000007FEF630F000-memory.dmp

Filesize
4KB

Download
memory/2604-8-0x000007FEF6050000-0x000007FEF69ED000-memory.dmp

Filesize
9.6MB

Download
memory/2604-6-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads