b28544713d74e229e251d11b415a48e118c75015a520f16c21005e4d78a22d5f

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024041342836038.exe
Size

785KB
MD5

2c430d35e36d912bda726e384615c0e7
SHA1

84793fbd7b355eae708f3fbb654b6f67c468effb
SHA256

c5e3dc39412f2f8efb97c3c6bcdc235727caf646ee2ac7c23e77c11ce0783e15
SHA512

5fe11156b4c016272941a92deb0ceacc0db13677bc14e2353b118fe9fcb58f7f2f609dd776f5cee2e99b4e7ad29b7dcc0fc183ceb9addf26c0348b2be87caca1
SSDEEP

12288:TOyBItc6c4ASOSjM0rp7Z3lYFNiooPsND1kz7FgCa2+mSP2iYZ367TCIhhDu:5W2zuOSjrrpxG9oETe7iCa2LUnCyh

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 64 IoCs

pid	Process
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe
2656	2024041342836038.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1988	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 1988	2656	2024041342836038.exe	28
PID 2656 wrote to memory of 1988	2656	2024041342836038.exe	28
PID 2656 wrote to memory of 1988	2656	2024041342836038.exe	28
PID 2656 wrote to memory of 1988	2656	2024041342836038.exe	28

C:\Users\Admin\AppData\Local\Temp\2024041342836038.exe
"C:\Users\Admin\AppData\Local\Temp\2024041342836038.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Mantegar198=Get-Content 'C:\Users\Admin\AppData\Local\adenomyoma\Wheateared215\Warrantably\Sumless\Estragon\proctorrhaphy\Mukkerts\Cadaverousness.Ove';$Agaces=$Mantegar198.SubString(17941,3);.$Agaces($Mantegar198)"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy8019.tmp\nsExec.dll

Filesize
6KB

MD5
3eb4cd50dcb9f5981f5408578cb7fb70

SHA1
13b38cc104ba6ee22dc4dfa6e480e36587f4bc71

SHA256
1c2f19e57dc72587aa00800a498c5f581b7d6761dc13b24bcf287ea7bd5ca2bf

SHA512
5a0c9d28df7a77e157046dce876282c48f434a441ee34e12b88f55be31be536eff676f580adbe4586da3f1519f94b5793ccbb3068b4b009eee286c0c5135d324

Download Submit
C:\Users\Admin\AppData\Local\Temp\uterology.lnk

Filesize
906B

MD5
01dc2e9b28d64ae655258010dc53b1cb

SHA1
81469a5b15fa23ecced6b0aca7e18ed0f783da88

SHA256
486440df73b9dd29f56fbf424ae2dade8bd21bc427915d3454467581f61436fb

SHA512
58ffc449cba4a0c0430076f4b144982586bafe1e178bce63959bf49f9db4814c92b3fd82aa9b6938ffb341fd40c9fe52ba18fde3e0a780094788533f7579f857

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8019.tmp\AdvSplash.dll

Filesize
5KB

MD5
a5fd5bb479150881ed350f9fa758bb15

SHA1
ffa55bb6a77fca54eccfc1badc872ebde69b67be

SHA256
f4b7bd6ffc472858b786635fc3d2c053025c6ef8e121894785a2f997ad76e16b

SHA512
d0b4d17dc35253f6b355bfd8910123196f91711a19f888c12b997a84a8025b1bc7ed9913278191c361f7a268924f369877f2d068b8d6a889174a866c5d0c1e12

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8019.tmp\UserInfo.dll

Filesize
4KB

MD5
5cf209df87b3c5e455b5b2b326438ad9

SHA1
47e8dc726c0a49c0b53a1fba4e03af4bccda003a

SHA256
b665b4fd4c9de7a4ee54c720f5b607ca0744c9c69990a741428b469388862f29

SHA512
48e71c3a463e59cd7367be708d4e964a6f766ea7258e3088cef7a6550ed34223967e552f3c2d22719dcd86752b5ba165cc54a78a90be44f6725a26dde15d820a

Download Submit
memory/1988-695-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-696-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-697-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1988-698-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1988-699-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1988-700-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download