Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:02
Static task
static1
Behavioral task
behavioral1
Sample
c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
General
-
Target
c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe
-
Size
468KB
-
MD5
b1555e040ed35043ee177401d1f2c4c2
-
SHA1
b393093f0c93b8209ba42929c8099bee099c1fb6
-
SHA256
c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20
-
SHA512
77cfce8d39219f2f93bbc495a69b73cb0656b32f27de392e0b91ac47cb5d028defabd6e8d4e3e8849500e13b30a59931428199b49e0d2393d5529929518742ea
-
SSDEEP
12288:5M2y21Low+fOwXEBfBsguZ0iYvdl0pBiOMGoht:YWoXfOwXEBruZ0vUyBzb
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 1 IoCs
Processes:
c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exepid process 2868 c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2588 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exedescription pid process target process PID 2868 wrote to memory of 2588 2868 c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe powershell.exe PID 2868 wrote to memory of 2588 2868 c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe powershell.exe PID 2868 wrote to memory of 2588 2868 c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe powershell.exe PID 2868 wrote to memory of 2588 2868 c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe"C:\Users\Admin\AppData\Local\Temp\c90ceb7aa59148b1da8a27b97c51b557d24f7cb84d344a1820abc70fb43e0e20.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Tand=Get-Content 'C:\Users\Admin\AppData\Roaming\Grydeskeen146\sdfdsf\Laxate.Mej';$Pultens=$Tand.SubString(52185,3);.$Pultens($Tand)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd2A9A.tmp\nsExec.dllFilesize
6KB
MD5ac0f93b2dec82e9579bff14c8572a6c8
SHA16460244317cbb77e342adb3561ec3acb496c84d5
SHA2563aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34
SHA5128055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2
-
memory/2588-23-0x0000000073D11000-0x0000000073D12000-memory.dmpFilesize
4KB
-
memory/2588-24-0x0000000073D10000-0x00000000742BB000-memory.dmpFilesize
5.7MB
-
memory/2588-26-0x0000000073D10000-0x00000000742BB000-memory.dmpFilesize
5.7MB
-
memory/2588-25-0x0000000073D10000-0x00000000742BB000-memory.dmpFilesize
5.7MB
-
memory/2588-27-0x0000000073D10000-0x00000000742BB000-memory.dmpFilesize
5.7MB