Overview

overview

8

Static

static

3

8ca8c891e9...e8.exe

windows7-x64

8

8ca8c891e9...e8.exe

windows10-2004-x64

8

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    132s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe

  • Size

    541KB

  • MD5

    93616677d7d1ebbfb979b905150bb3cd

  • SHA1

    87037c76bc789909d49fa81887ce8465436f3ca0

  • SHA256

    8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8

  • SHA512

    cc17b5c1266c01dd8bf1d2a5269e228a3389083eca13cc1352f6638ab72a95beecc4e3a7b29d892813eb1843b0bd8b207fa987ad6224dfab6b606167946b5595

  • SSDEEP

    12288:iH7MMIqb9BVAG8ITBF8qgvpnu1uo6c1yZODqCNtEplW8LmP:C7a69BVxh65K6+drGlW8LmP

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe
    "C:\Users\Admin\AppData\Local\Temp\8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Twiddly=Get-Content 'C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Samkrt.ska';$Careeristic=$Twiddly.SubString(52755,3);.$Careeristic($Twiddly)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:4452
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 2496
          3⤵
          • Program crash
          PID:468
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2292 -ip 2292
      1⤵
        PID:840

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mnzlxgnk.mhq.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nse440F.tmp\nsDialogs.dll
        Filesize

        9KB

        MD5

        1c8b2b40c642e8b5a5b3ff102796fb37

        SHA1

        3245f55afac50f775eb53fd6d14abb7fe523393d

        SHA256

        8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

        SHA512

        4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

        Download Submit

      • C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Samkrt.ska
        Filesize

        51KB

        MD5

        afd9c594ed116f7cdfe6c432ce10ff17

        SHA1

        a685bf1da29f74b5c9ac802b51a6c5e75a888285

        SHA256

        4832ff867a3915d5958b2d072fc93076f940f654c04f6bba8c9f80b8ea789dfb

        SHA512

        05738b6c609f28615f8d7c6725885fd44fe54370f8880385dc5056ff0c37525e7add80747ae657ea0c45f40932ded22c6099122f9dc7ebdad14145f513722917

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\degum.lnk
        Filesize

        910B

        MD5

        969dfb558bff1b8f071a8870a55e3715

        SHA1

        07d310c5e16e6de13472d4cf7c75c8ce2546debf

        SHA256

        25d18a4a27cda281bded9cdd47f353f948f0a269ef520247ec565b0ddef419a8

        SHA512

        df086be6e10db73b1c93e76d1f697b710a9d8451741d2f1a79350ba28eefc655f806b3eaf0bf6fdda2e0ebb88a36f7f2376f62bdac2c21cc8095915f2f2962b5

        Download Submit

      • memory/2292-59-0x0000000073520000-0x0000000073CD0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2292-74-0x0000000005B60000-0x0000000005BAC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2292-60-0x00000000052B0000-0x00000000052D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2292-62-0x00000000054C0000-0x0000000005526000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2292-61-0x0000000005450000-0x00000000054B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2292-58-0x0000000004C20000-0x0000000005248000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2292-56-0x0000000002550000-0x0000000002586000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2292-72-0x0000000005630000-0x0000000005984000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2292-73-0x0000000005B20000-0x0000000005B3E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2292-57-0x0000000073520000-0x0000000073CD0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2292-75-0x0000000006B30000-0x0000000006BC6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2292-76-0x0000000006060000-0x000000000607A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2292-77-0x00000000060B0000-0x00000000060D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2292-78-0x0000000007180000-0x0000000007724000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2292-55-0x000000007352E000-0x000000007352F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2292-80-0x0000000007DB0000-0x000000000842A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2292-82-0x0000000073520000-0x0000000073CD0000-memory.dmp

        Filesize

        7.7MB

        Download