Overview

overview

10

Static

static

3

0254025b29...f1.exe

windows7-x64

7

0254025b29...f1.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Accompanyi...ar.ps1

windows7-x64

8

Accompanyi...ar.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2024, 02:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0254025b294133b4e71de66ad453e83f414ef6e5440f19e9017d26bc2ff2a2f1.exe

  • Size

    629KB

  • MD5

    b77e0b1deb6602a1c6029295114d91ea

  • SHA1

    3142b6a4ae2481f9be71e7ea6f9abbedac914c08

  • SHA256

    0254025b294133b4e71de66ad453e83f414ef6e5440f19e9017d26bc2ff2a2f1

  • SHA512

    5bb5b5e65e386180138bfddada07c08f759d35744a8014812bc9e7585582e9568cf66dcc06b9541de13f32a403961c48071af68c82dfbf8e1f5296cd82bc6c52

  • SSDEEP

    12288:Zz64+JKNOfpUmvA4Bjfcg5jBfnvM/VWnA1gI0ZO0:84KJf4DcvM/4n20E0

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0254025b294133b4e71de66ad453e83f414ef6e5440f19e9017d26bc2ff2a2f1.exe
    "C:\Users\Admin\AppData\Local\Temp\0254025b294133b4e71de66ad453e83f414ef6e5440f19e9017d26bc2ff2a2f1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Compital=Get-Content 'C:\Users\Admin\AppData\Local\forbitrendes\engines\fiefdoms\Accompanying\Fernanda\Typebetegnelsers\Surrounder189\Vorticular.Mel';$Kissejag=$Compital.SubString(58507,3);.$Kissejag($Compital)"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3044

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\nst648F.tmp\nsExec.dll
          Filesize

          6KB

          MD5

          b55f7f1b17c39018910c23108f929082

          SHA1

          1601f1cc0d0d6bcf35799b7cd15550cd01556172

          SHA256

          c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7

          SHA512

          d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa

          Download Submit

        • memory/3044-12-0x0000000073660000-0x0000000073C0B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3044-13-0x0000000073660000-0x0000000073C0B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3044-14-0x0000000002730000-0x0000000002770000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3044-15-0x0000000002730000-0x0000000002770000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3044-16-0x0000000002730000-0x0000000002770000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3044-17-0x0000000073660000-0x0000000073C0B000-memory.dmp

          Filesize

          5.7MB

          Download