Overview

overview

10

Static

static

10

01d63645f4...e3.exe

windows7-x64

9

01d63645f4...e3.exe

windows10-2004-x64

10

14bae02cc3...0e.exe

windows7-x64

10

14bae02cc3...0e.exe

windows10-2004-x64

8

TNT Origin...ce.exe

windows7-x64

10

TNT Origin...ce.exe

windows10-2004-x64

10

402ff605d7...97.exe

windows7-x64

10

402ff605d7...97.exe

windows10-2004-x64

10

4d0dfae91f...bf.exe

windows7-x64

7

4d0dfae91f...bf.exe

windows10-2004-x64

7

5401a3332d...8e.exe

windows7-x64

10

5401a3332d...8e.exe

windows10-2004-x64

10

Autoit3.exe

windows7-x64

3

Autoit3.exe

windows10-2004-x64

3

6cfe745f03...d2.exe

windows7-x64

10

6cfe745f03...d2.exe

windows10-2004-x64

10

90f19e1a78...ef.exe

windows7-x64

7

90f19e1a78...ef.exe

windows10-2004-x64

1

a3eeef65c4...4.xlsx

windows7-x64

1

a3eeef65c4...4.xlsx

windows10-2004-x64

1

a71829e150...e5.exe

windows7-x64

7

a71829e150...e5.exe

windows10-2004-x64

7

db58eb7713...c4.exe

windows7-x64

10

db58eb7713...c4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    103s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe

  • Size

    615KB

  • MD5

    174dcf32138060240e094f9faefecfc5

  • SHA1

    0b271c152cfda5ba57273967d8729f9cd755aa12

  • SHA256

    14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e

  • SHA512

    f63c8bae8020d359f61e7d09af25ae5cace4225fcaf492518ad64ce87886eb29aba27122a2dfbfe330d0b344e974215daf0f9e698cf2c2f621a804f5fa68874a

  • SSDEEP

    12288:/XWG6OT+LTOaWT9N4XhgggCwulapByjZhO838sSuEloIkxFA:/XWsTmWT9N4xgghblapB2hz8sSuEoIz

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe
    "C:\Users\Admin\AppData\Local\Temp\14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Retstillingers=Get-Content 'C:\Users\Admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Upgather\Vektoriel.Eks';$Disengagering=$Retstillingers.SubString(32120,3);.$Disengagering($Retstillingers)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2728
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 2136
          3⤵
          • Program crash
          PID:2272
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1924 -ip 1924
      1⤵
        PID:1328

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5eox0oo.usu.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\illuminatus\sadeltasker\jungermanniaceae\Upgather\Vektoriel.Eks
        Filesize

        50KB

        MD5

        5333a87a8aa86ef14e3cefc2162de69e

        SHA1

        2dbb497de16ff8a4d855e53c33cb56d62b6dcd81

        SHA256

        4ce60f9464a4737ebc1ae2dd8b98653c410193a28896f1d1110fc0173a395d56

        SHA512

        d9ead59794ccc243cccb13d6c11aea90ea402451d38c012ffb10a41fa7ff35f3f24582ad34318dacbce5af7f1480c8a016fdba82efe77522e22181c534ee5221

        Download Submit
      • memory/1924-23-0x0000000073C90000-0x0000000074440000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1924-38-0x0000000006010000-0x000000000605C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1924-19-0x0000000073C9E000-0x0000000073C9F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1924-24-0x0000000005740000-0x0000000005762000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1924-25-0x00000000058E0000-0x0000000005946000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1924-31-0x00000000059C0000-0x0000000005A26000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1924-21-0x0000000073C90000-0x0000000074440000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1924-32-0x0000000005A30000-0x0000000005D84000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1924-37-0x0000000005FE0000-0x0000000005FFE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1924-22-0x0000000005110000-0x0000000005738000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1924-39-0x0000000006540000-0x00000000065D6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/1924-40-0x00000000064F0000-0x000000000650A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1924-41-0x00000000071A0000-0x00000000071C2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1924-42-0x0000000007780000-0x0000000007D24000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1924-20-0x0000000004A10000-0x0000000004A46000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1924-44-0x00000000083B0000-0x0000000008A2A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/1924-46-0x0000000073C90000-0x0000000074440000-memory.dmp
        Filesize

        7.7MB

        Download