140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
04-12-2023 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTE 7000345678.exe
Size

559KB
MD5

175656747a014cd0405388c8796f769d
SHA1

7f138da24c764f6d37b2d690df32481ba686d448
SHA256

140cd16c7087789b1bff95f27ef03eef85e37e34362f6676a8eaff268b7c693a
SHA512

1fe26f24918b2365c9735bbbab48248268fcfb25c9858df9912c34e15004a1e14117787386755cd40782671f33cdde704affa41c8f51a74956dff04b649a19cb
SSDEEP

12288:aS2dfQBQfYfliYNF95lWq5SoASsA6sB20XCI9:B2dfWXflnTjlWrU6420XT9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

Processes:

GTE 7000345678.exe

pid	process
1200	GTE 7000345678.exe
1200	GTE 7000345678.exe
1200	GTE 7000345678.exe
1200	GTE 7000345678.exe
1200	GTE 7000345678.exe
1200	GTE 7000345678.exe
1200	GTE 7000345678.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2848 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2848 powershell.exe

pid	process
2848	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

GTE 7000345678.exe

description	pid	process	target process
PID 1200 wrote to memory of 2848	1200	GTE 7000345678.exe	powershell.exe
PID 1200 wrote to memory of 2848	1200	GTE 7000345678.exe	powershell.exe
PID 1200 wrote to memory of 2848	1200	GTE 7000345678.exe	powershell.exe
PID 1200 wrote to memory of 2848	1200	GTE 7000345678.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\GTE 7000345678.exe
"C:\Users\Admin\AppData\Local\Temp\GTE 7000345678.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\Admin\AppData\Roaming\slfangeres\pind\Dokumentarierne.Bic' ; powershell.exe "$derremc"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst8048.tmp\BgImage.dll

Filesize
7KB

MD5
d3d76d8a516ceb45b8d354544c7fdec4

SHA1
0a39185c2292d3124f5139717ca9d00cd5a046b3

SHA256
e18005b81ab18ca5afcab9b6a47d0f024535b66d1f02dc2c5e2c7f28faa21516

SHA512
3dc9fe1820f7cbb5782788d7ac1c362d0e3f9b5b30aa9db77b58ca00fdd28cd6927644b1ab91c8260313c9d229ea4f0dfb1cc11bfe307e52cfca74f34aff81f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8048.tmp\nsDialogs.dll

Filesize
9KB

MD5
78e5813c5712f365d29f17e4f2aba6bb

SHA1
77fdf437a119d6cb6bd9b47b6073932aa419c928

SHA256
99c7654e291227686ffd9414bf77dc6c62d2b712f10348fd8a0697cd4940ef75

SHA512
276223f521ad7f0db93cf0d743d8a8dedaf6286ccdf908a55eb77363382a7f6404d7ece8e5262cbedd582bb0d1c6e3af350336ad51fdafb30fce000cc410504a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8048.tmp\nsExec.dll

Filesize
7KB

MD5
84bcbefa5fe3d82647a15f135f22fb2a

SHA1
7c23a0c1a8b185f5af456dafa63a3c1207d8c1dc

SHA256
14ebfa0711b48ec748b6e4985db4b99a827996ae44b28122d16f14d0d0f51bb6

SHA512
c0e4ca46be6892b2cec77992e809897bcb768e3436d9bd81e4f84f4f1da9ef123ae902783147d263ac8019c732f131654694ad4105888c1f310c7bce8844b7dd

Download Submit
\Users\Admin\AppData\Local\Temp\nst8048.tmp\BgImage.dll

Filesize
7KB

MD5
d3d76d8a516ceb45b8d354544c7fdec4

SHA1
0a39185c2292d3124f5139717ca9d00cd5a046b3

SHA256
e18005b81ab18ca5afcab9b6a47d0f024535b66d1f02dc2c5e2c7f28faa21516

SHA512
3dc9fe1820f7cbb5782788d7ac1c362d0e3f9b5b30aa9db77b58ca00fdd28cd6927644b1ab91c8260313c9d229ea4f0dfb1cc11bfe307e52cfca74f34aff81f5

Download Submit
\Users\Admin\AppData\Local\Temp\nst8048.tmp\nsDialogs.dll

Filesize
9KB

MD5
78e5813c5712f365d29f17e4f2aba6bb

SHA1
77fdf437a119d6cb6bd9b47b6073932aa419c928

SHA256
99c7654e291227686ffd9414bf77dc6c62d2b712f10348fd8a0697cd4940ef75

SHA512
276223f521ad7f0db93cf0d743d8a8dedaf6286ccdf908a55eb77363382a7f6404d7ece8e5262cbedd582bb0d1c6e3af350336ad51fdafb30fce000cc410504a

Download Submit
\Users\Admin\AppData\Local\Temp\nst8048.tmp\nsDialogs.dll

Filesize
9KB

MD5
78e5813c5712f365d29f17e4f2aba6bb

SHA1
77fdf437a119d6cb6bd9b47b6073932aa419c928

SHA256
99c7654e291227686ffd9414bf77dc6c62d2b712f10348fd8a0697cd4940ef75

SHA512
276223f521ad7f0db93cf0d743d8a8dedaf6286ccdf908a55eb77363382a7f6404d7ece8e5262cbedd582bb0d1c6e3af350336ad51fdafb30fce000cc410504a

Download Submit
\Users\Admin\AppData\Local\Temp\nst8048.tmp\nsDialogs.dll

Filesize
9KB

MD5
78e5813c5712f365d29f17e4f2aba6bb

SHA1
77fdf437a119d6cb6bd9b47b6073932aa419c928

SHA256
99c7654e291227686ffd9414bf77dc6c62d2b712f10348fd8a0697cd4940ef75

SHA512
276223f521ad7f0db93cf0d743d8a8dedaf6286ccdf908a55eb77363382a7f6404d7ece8e5262cbedd582bb0d1c6e3af350336ad51fdafb30fce000cc410504a

Download Submit
\Users\Admin\AppData\Local\Temp\nst8048.tmp\nsDialogs.dll

Filesize
9KB

MD5
78e5813c5712f365d29f17e4f2aba6bb

SHA1
77fdf437a119d6cb6bd9b47b6073932aa419c928

SHA256
99c7654e291227686ffd9414bf77dc6c62d2b712f10348fd8a0697cd4940ef75

SHA512
276223f521ad7f0db93cf0d743d8a8dedaf6286ccdf908a55eb77363382a7f6404d7ece8e5262cbedd582bb0d1c6e3af350336ad51fdafb30fce000cc410504a

Download Submit
\Users\Admin\AppData\Local\Temp\nst8048.tmp\nsExec.dll

Filesize
7KB

MD5
84bcbefa5fe3d82647a15f135f22fb2a

SHA1
7c23a0c1a8b185f5af456dafa63a3c1207d8c1dc

SHA256
14ebfa0711b48ec748b6e4985db4b99a827996ae44b28122d16f14d0d0f51bb6

SHA512
c0e4ca46be6892b2cec77992e809897bcb768e3436d9bd81e4f84f4f1da9ef123ae902783147d263ac8019c732f131654694ad4105888c1f310c7bce8844b7dd

Download Submit
\Users\Admin\AppData\Local\Temp\nst8048.tmp\nsExec.dll

Filesize
7KB

MD5
84bcbefa5fe3d82647a15f135f22fb2a

SHA1
7c23a0c1a8b185f5af456dafa63a3c1207d8c1dc

SHA256
14ebfa0711b48ec748b6e4985db4b99a827996ae44b28122d16f14d0d0f51bb6

SHA512
c0e4ca46be6892b2cec77992e809897bcb768e3436d9bd81e4f84f4f1da9ef123ae902783147d263ac8019c732f131654694ad4105888c1f310c7bce8844b7dd

Download Submit
memory/2848-39-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2848-40-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-38-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/2848-37-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download