Overview

overview

8

Static

static

3

I_DEC.exe

windows7-x64

5

I_DEC.exe

windows10-2004-x64

4

Fiskeekspo...ne.ps1

windows7-x64

8

Fiskeekspo...ne.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    I_DEC.exe

  • Size

    683KB

  • MD5

    ecc6e9e230bcf7b188a046d8e6de9393

  • SHA1

    e3077691c911ecfbd1770515d0056b6c6f772ceb

  • SHA256

    f2684f314bd809180a5eab027fbe1e4fd685835770fb725cf6b03def71b5b732

  • SHA512

    574441e32503a25ce690dcded7bfd6e61c62f32b7194c95f0377036a4acaa235323f10979d876a4666e6450307bd3972c06fe83c8a9d63b3a726156aa84e9b6e

  • SSDEEP

    12288:FLTA8PHO5mU0It61O4Rc8xvbHje3mgSSBwlemT1vDfrYI3b:9TA8PO5mU161PFxvbS7w9p

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\I_DEC.exe
    "C:\Users\Admin\AppData\Local\Temp\I_DEC.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -windowstyle hidden "$Nonadmissions=Get-Content 'C:\Users\Admin\AppData\Roaming\enomaniac\Fiskeeksporter\Lavningerne.All';$Adfrdsnormens=$Nonadmissions.SubString(57855,3);.$Adfrdsnormens($Nonadmissions)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        3⤵
          PID:2972
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:2800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\enomaniac\Fiskeeksporter\Lavningerne.All
      Filesize

      56KB

      MD5

      feae65ac76325264935f2c0be1a41bf0

      SHA1

      4a2cb34f83548a7d646efc2236d3e5aa8980a444

      SHA256

      07543ac009938836ac7e42d5cd163ac76f6616699ef68869497b3689265a85db

      SHA512

      189dbc8dd4a7df1c9f4de33b7808e78eaacc837d663d39dd3c748933071e33e0e996d4eb2241b83c94009df04aa0ccda9e1940165c1c1e979fd95d460bccd3ae

      Download Submit

    • C:\Users\Admin\AppData\Roaming\enomaniac\Fiskeeksporter\Sludrede.Ant
      Filesize

      336KB

      MD5

      09831adda0ad50be124381d5a4cf07ef

      SHA1

      64515a9e2378e73e512fc6ff2ad9695b033533d2

      SHA256

      691d2bd85f0d441c5fdb2fa00a185494e11bea0b05b8fe88bafbd1fb6fc24006

      SHA512

      27b7d2c70052bb5c62faeceb0699dee6ec78ec668d4041f9ebc4c6184166b3c83e94bd46d7ca7d7527ac43e60f7c598744a3692da177caa1223c138f87a38e65

      Download Submit

    • memory/2800-72-0x0000000000940000-0x00000000019A2000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2800-71-0x0000000077720000-0x00000000777F6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2800-70-0x0000000077756000-0x0000000077757000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2800-69-0x0000000077530000-0x00000000776D9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2852-64-0x00000000064E0000-0x000000000A41C000-memory.dmp

      Filesize

      63.2MB

      Download

    • memory/2852-63-0x0000000005560000-0x0000000005564000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2852-55-0x0000000073EC0000-0x000000007446B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2852-65-0x0000000077530000-0x00000000776D9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2852-66-0x0000000073EC0000-0x000000007446B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2852-67-0x0000000077720000-0x00000000777F6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2852-68-0x0000000002C80000-0x0000000002CC0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2852-61-0x0000000002C80000-0x0000000002CC0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2852-57-0x0000000073EC0000-0x000000007446B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2852-58-0x0000000002C80000-0x0000000002CC0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2852-56-0x0000000002C80000-0x0000000002CC0000-memory.dmp

      Filesize

      256KB

      Download