Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Stningsstrukturers.ps1
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Stningsstrukturers.ps1
Resource
win10v2004-20240426-en
General
-
Target
74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exe
-
Size
427KB
-
MD5
2ceb634eba1c56c9dcf5daa8c78ebc92
-
SHA1
8c101631d550b07502f5e077b33d4142d6323a5d
-
SHA256
74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9
-
SHA512
042d3249ae6863ff90caae3001258e80a3e92f9abc8dbfb1ac0eb48dfcef7c72686a677a70c554a2a620680319aba93058d22c71b306252530f51cb874131caa
-
SSDEEP
6144:W9X0GVlmkDWa5rfgmIOVXAk85ltRn8j7r85ugCDo4pr3WWPC1LiJ1Km9:Y02FCa5M2m5LRnKg5D4pr3WrMJ1Km9
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2544 804 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepid process 804 powershell.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 804 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exepowershell.exedescription pid process target process PID 4472 wrote to memory of 804 4472 74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exe powershell.exe PID 4472 wrote to memory of 804 4472 74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exe powershell.exe PID 4472 wrote to memory of 804 4472 74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exe powershell.exe PID 804 wrote to memory of 4804 804 powershell.exe cmd.exe PID 804 wrote to memory of 4804 804 powershell.exe cmd.exe PID 804 wrote to memory of 4804 804 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exe"C:\Users\Admin\AppData\Local\Temp\74e64ac4e30e760332d456eb22f9c287a378653566cf4eac6278c4576c2d5cf9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Undertrykt=Get-Content 'C:\Users\Admin\AppData\Local\Temp\rumfangsformlers\mettemaries\Stningsstrukturers.Rec';$Sludrehoved=$Undertrykt.SubString(60222,3);.$Sludrehoved($Undertrykt)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 27723⤵
- Program crash
PID:2544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 804 -ip 8041⤵PID:2188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
58KB
MD5dd200d8c3c09458738a4ee7d421a891b
SHA15821db55a8a2e95c67411c18893530d9c3cd47c6
SHA2560e5ad13c4627a6fcb258cbcf2e67bde5ac0f66b8e85291ba05dacc5021eeb4df
SHA512a2faef0cb547f0ee91ca5b45893300fc18943d1389f593bf2b58f557d8e85f7346e55be8a592c87e6e32dc98f9d568a05e59cc7d93b9288391c0465b6a68f39d