d73f8f8dc88a35ebc1a1876433c6daa4f8cb40b5b34c3e2aed3343831438b9e6

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO19223403.scr
Size

1019KB
MD5

1310b0c86f99ed198cfd1802cfabe1e6
SHA1

f9da789a0e49f7f0332c21e65f3f9fb746cfb82a
SHA256

bbdb2beee29b5cd7d145cf722ef633432ce5c229a9eba8048eb747e4fc10d5bb
SHA512

076eb43fc662d8a27a5528407bd9f42d93e916034cfd13d10c32c3e98573571fd232a26d04ac0a8f991f0d33361a532e2bb24f7b1752ee9c2abd5f47a13603a5
SSDEEP

24576:+sEChyXOAaCr9Ar9ssls+qRMcePSu41y4I7c9Ek+dv/h9Q8UnSBtv4YyU06:+mIimAJnsvp2IA/+x+d/ha8USBVf

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2256	PO19223403.scr

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\redressment\Drnke60.und	PO19223403.scr
File created	C:\Windows\SysWOW64\Computing116\Gedeosten154.lnk	PO19223403.scr

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\entrada\phiallike.Dis	PO19223403.scr

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\resources\udtrkkene\andalusisk.lnk	PO19223403.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2476	2256	PO19223403.scr	28
PID 2256 wrote to memory of 2476	2256	PO19223403.scr	28
PID 2256 wrote to memory of 2476	2256	PO19223403.scr	28
PID 2256 wrote to memory of 2476	2256	PO19223403.scr	28

C:\Users\Admin\AppData\Local\Temp\PO19223403.scr
"C:\Users\Admin\AppData\Local\Temp\PO19223403.scr" /S
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Glandless=Get-Content 'C:\Users\Admin\AppData\Roaming\stress\Pointment\Kreditgivninger\Campanulous\Blaamejses.Hov';$Concurrences=$Glandless.SubString(54160,3);.$Concurrences($Glandless)"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd1B10.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
memory/2476-21-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2476-23-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2476-22-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2476-24-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2476-25-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download