3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe
Size

476KB
MD5

992095bdc04df2604858b99e80c8d2ec
SHA1

d4004b6b5dacf8ece15f09e74ce7eb9b3cecc4d4
SHA256

3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb
SHA512

3d96c6d499811e8aaf308660b71c1239c4998bbed6d7d4a1b29bf2c47434683286f954b30d569fef8d8512935212770b094b7bffea2714a7254cfe24866f2da4
SSDEEP

12288:8M2yMkxqt160wyP7at1BIHHgWuutYaNSohL:fMkxqtY0wztVutDhZ

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2776 powershell.exe
Loads dropped DLL 1 IoCs

Processes:

3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe

pid process

2348 3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2776 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2776 powershell.exe

pid	process
2776	powershell.exe

pid	process
2348	3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe

pid	process
2776	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe

description	pid	process	target process
PID 2348 wrote to memory of 2776	2348	3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe	powershell.exe
PID 2348 wrote to memory of 2776	2348	3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe	powershell.exe
PID 2348 wrote to memory of 2776	2348	3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe	powershell.exe
PID 2348 wrote to memory of 2776	2348	3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe
"C:\Users\Admin\AppData\Local\Temp\3b0f3fe33e25fea18ac8fe33c561dcaa711dfb5f1e9fede573c7c1b76a5617cb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Scaw=Get-Content 'C:\Users\Admin\AppData\Roaming\Grydeskeen146\sdfdsf\Adterminal\Navnerkke.Alk';$Gauzed=$Scaw.SubString(51560,3);.$Gauzed($Scaw)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiA1F.tmp\nsExec.dll

Filesize
6KB

MD5
ac0f93b2dec82e9579bff14c8572a6c8

SHA1
6460244317cbb77e342adb3561ec3acb496c84d5

SHA256
3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

SHA512
8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

Download Submit
memory/2776-23-0x0000000073581000-0x0000000073582000-memory.dmp

Filesize
4KB

Download
memory/2776-24-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-26-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-25-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-27-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-28-0x0000000073580000-0x0000000073B2B000-memory.dmp

Filesize
5.7MB

Download