Overview

overview

10

Static

static

3

0daec5d742...52.exe

windows7-x64

7

0daec5d742...52.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Mellemregningen14.ps1

windows7-x64

8

Mellemregningen14.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-03-2024 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0daec5d74297591bda4fb4aedd1c91643b7cd4312d65e5eb664d2328f0cd5c52.exe

  • Size

    623KB

  • MD5

    a1cc10092e7a19859fb5bcc32101578b

  • SHA1

    ddd0c1097cb8b4a24699c88adf23ac020121fc16

  • SHA256

    0daec5d74297591bda4fb4aedd1c91643b7cd4312d65e5eb664d2328f0cd5c52

  • SHA512

    f1572a9847203fe81736d7e8cf639d04d461646cab798f5699a6e5b94d97797114e273fddfe1fb8776297ee7f1dbe980e30da8921234cf0cc14db22c388743ed

  • SSDEEP

    12288:7R2/D6NgsWNlQp1TFqblyEocs8vMylZrwnwXifiKPt4r:Y/mWNlQp1cpyEocZMyDzXiaKl4r

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0daec5d74297591bda4fb4aedd1c91643b7cd4312d65e5eb664d2328f0cd5c52.exe
    "C:\Users\Admin\AppData\Local\Temp\0daec5d74297591bda4fb4aedd1c91643b7cd4312d65e5eb664d2328f0cd5c52.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Timebetalingerne=Get-Content 'C:\Users\Admin\AppData\Local\catalonierens\tykningernes\afhringen\Mellemregningen14.Dum';$Expectably154=$Timebetalingerne.SubString(51884,3);.$Expectably154($Timebetalingerne)"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsj8365.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    fa299e199922b3ba833be655a8d71b75

    SHA1

    4d74c53bb6927a2831df93af26f3e4e4fb007797

    SHA256

    49a6a1c1f19574b2a247ce6c5adc0751e046d27c30912816ba415f871b74ae5d

    SHA512

    7ceb64d3d826762994c48ffad3ad2234410cbcdbedfce9a2dc03d18915ce22d687173f90e954d7bdb0eae76954c360059ad761aedc48cd7fa4ec29d6094f6a65

    Download Submit

  • memory/2756-19-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2756-21-0x0000000002540000-0x0000000002580000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-20-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2756-22-0x0000000002540000-0x0000000002580000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2756-23-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

    Download