Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 10:35
Static task
static1
Behavioral task
behavioral1
Sample
PO NO.0200058.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
PO NO.0200058.exe
Resource
win10v2004-20231127-en
General
-
Target
PO NO.0200058.exe
-
Size
912KB
-
MD5
de68b61ea9b8086259280b19f27ede5c
-
SHA1
b9cd5e9f2c6a936361bb48d04d61a595d83d71af
-
SHA256
c86de3e77ae95280bae0e6ba2c1248bb30760b972f4e39993446be343d4a3808
-
SHA512
6a612b8c208e1408aeac0f9b801ce7b452c97aefeeccf308a94e07aac3f20129a5e10507d88fdab4ac843a7823f7906296800e763bea404048f94a801b38102d
-
SSDEEP
24576:nyr9a8gJ2wgF7EVGBOPTqUqtLRTZoO/rAfWMyQqph:w9a8gclUAOP+L9RV5/rAfWMAph
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
PO NO.0200058.exepid process 2932 PO NO.0200058.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2700 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PO NO.0200058.exedescription pid process target process PID 2932 wrote to memory of 2700 2932 PO NO.0200058.exe powershell.exe PID 2932 wrote to memory of 2700 2932 PO NO.0200058.exe powershell.exe PID 2932 wrote to memory of 2700 2932 PO NO.0200058.exe powershell.exe PID 2932 wrote to memory of 2700 2932 PO NO.0200058.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO NO.0200058.exe"C:\Users\Admin\AppData\Local\Temp\PO NO.0200058.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden $derremc = Get-Content 'C:\Users\Admin\AppData\Local\Temp\sammenbygninger\Hairs\Jvnspnding\Pennatulidae\overweather.Tro' ; powershell.exe "$derremc"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5ec0504e6b8a11d5aad43b296beeb84b2
SHA191b5ce085130c8c7194d66b2439ec9e1c206497c
SHA2565d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA5123f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57