Overview

overview

8

Static

static

3

b2aedf1de5...d4.exe

windows7-x64

7

b2aedf1de5...d4.exe

windows10-2004-x64

7

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Melitta/As...er.ps1

windows7-x64

8

Melitta/As...er.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/02/2024, 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2aedf1de53ed6e8b341efc26bfa06068a0c1dcfa04af94d998ced18546ad5d4.exe

  • Size

    575KB

  • MD5

    46b01a46c54eae7a4a22df08acd2148d

  • SHA1

    b68dd5edfa58283488c7de3eeed549cc2cf34ace

  • SHA256

    b2aedf1de53ed6e8b341efc26bfa06068a0c1dcfa04af94d998ced18546ad5d4

  • SHA512

    f2fc66d4ee5057e760ebc758d9b5b937f8ab070724bd0611c4458520c5c21a839e094ad06b5760c59167a88614d1afff5512ef5120237c1b89ab23032e9991e8

  • SSDEEP

    12288:FmWRppHy/X3hRbetbLiiJTFoAtV9Tj20z168E7rg3ONKUH1:FmWRYhR6tbRJTFjTjxzk8QOyH1

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2aedf1de53ed6e8b341efc26bfa06068a0c1dcfa04af94d998ced18546ad5d4.exe
    "C:\Users\Admin\AppData\Local\Temp\b2aedf1de53ed6e8b341efc26bfa06068a0c1dcfa04af94d998ced18546ad5d4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Vandvrkerne=Get-Content 'C:\Users\Admin\AppData\Roaming\kolossens\livrente\markedsfringsomkostnings\Melitta\Assonantic\evakueringsvelsers\Jakobskamp\Blyantstegninger.Mum';$Blodsukkerets27=$Vandvrkerne.SubString(43740,3);.$Blodsukkerets27($Vandvrkerne)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Users\Admin\AppData\Local\Temp\Mikrodatamatens.exe
        "C:\Users\Admin\AppData\Local\Temp\Mikrodatamatens.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:3876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Mikrodatamatens.exe
    Filesize

    575KB

    MD5

    46b01a46c54eae7a4a22df08acd2148d

    SHA1

    b68dd5edfa58283488c7de3eeed549cc2cf34ace

    SHA256

    b2aedf1de53ed6e8b341efc26bfa06068a0c1dcfa04af94d998ced18546ad5d4

    SHA512

    f2fc66d4ee5057e760ebc758d9b5b937f8ab070724bd0611c4458520c5c21a839e094ad06b5760c59167a88614d1afff5512ef5120237c1b89ab23032e9991e8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmjme4nm.r55.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nstCE3E.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    293165db1e46070410b4209519e67494

    SHA1

    777b96a4f74b6c34d43a4e7c7e656757d1c97f01

    SHA256

    49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

    SHA512

    97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

    Download Submit

  • C:\Users\Admin\AppData\Roaming\kolossens\livrente\markedsfringsomkostnings\Accumulators\whitecup.Lak232
    Filesize

    322KB

    MD5

    49ea58d683ec9e63e05e2af249e8b91c

    SHA1

    6715e873046f3240b1146e2c673707e707056c25

    SHA256

    18c360deaefbe9621eb1ddbab7663852d8492eaf574cb8689e956fe662ea7e7c

    SHA512

    5402ed9324788065c05d71cfc201659d83c9eb9506fd1f7deb76f53682de08d2521b9cf546b39cf3e83c44c780e86c9dfa1a0705a1c02139b8b9eac48469b045

    Download Submit

  • C:\Users\Admin\AppData\Roaming\kolossens\livrente\markedsfringsomkostnings\Melitta\Assonantic\evakueringsvelsers\Jakobskamp\Blyantstegninger.Mum
    Filesize

    42KB

    MD5

    a986fd781b75d8deae5059a8eaf9947b

    SHA1

    00e654981fe37b648a5799c04856830d83345736

    SHA256

    c2fb393897717d953dfd2ccfd179fccba1dbae00fa6c7a9ca46610b78b9ba085

    SHA512

    ccc7b6aacc718ab09d871e933227d02299e9c9c119669f15804d988b46d7ba0db45aedf6d1a61f4844ec091d6a6e9ef3e0557b3c50420693453a2df59c4b2545

    Download Submit

  • memory/1196-42-0x0000000008080000-0x0000000008624000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1196-44-0x0000000008CB0000-0x000000000932A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1196-25-0x00000000061B0000-0x0000000006216000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1196-23-0x0000000005830000-0x0000000005852000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1196-32-0x0000000006220000-0x0000000006574000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1196-36-0x0000000006820000-0x000000000683E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1196-37-0x00000000068C0000-0x000000000690C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1196-38-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1196-40-0x0000000006D30000-0x0000000006D4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1196-39-0x0000000006D80000-0x0000000006E16000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1196-41-0x00000000079F0000-0x0000000007A12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1196-22-0x0000000005AA0000-0x00000000060C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1196-20-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1196-24-0x0000000006140000-0x00000000061A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1196-46-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1196-21-0x0000000003210000-0x0000000003246000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1196-48-0x0000000007D50000-0x0000000007D54000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1196-49-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1196-51-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1196-52-0x0000000005460000-0x0000000005470000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1196-53-0x0000000009330000-0x000000000CE95000-memory.dmp

    Filesize

    59.4MB

    Download

  • memory/1196-54-0x0000000077CE1000-0x0000000077E01000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1196-19-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1196-64-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3876-58-0x0000000077CE1000-0x0000000077E01000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3876-59-0x0000000000440000-0x0000000001694000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3876-57-0x0000000077D68000-0x0000000077D69000-memory.dmp

    Filesize

    4KB

    Download