0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1

Analysis

max time kernel
0s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1.exe
Size

853KB
MD5

932cda18144ec48b9a01628d23ee95ac
SHA1

26ee7363940159b7efdae3363fbb2d439aca38c5
SHA256

0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1
SHA512

a8d0d5a9c8f8dc9d4eb6a1ae424c64bbe2e89d069c8e87951af3088fb444a43ebb114ad4bf7c6cd78f1b9edf5f07a648b8b779f66ce0f5fa41454be784169408
SSDEEP

12288:0cAw7NoOv8yh1Rz4vXGS4CzkYWeXrn6CKOyFQox8rV5olKVZ:0Uv8M1Rz4vXGSTKe0OSE5os

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2648	1952	0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1.exe	28
PID 1952 wrote to memory of 2648	1952	0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1.exe	28
PID 1952 wrote to memory of 2648	1952	0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1.exe	28
PID 1952 wrote to memory of 2648	1952	0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1.exe	28

C:\Users\Admin\AppData\Local\Temp\0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1.exe
"C:\Users\Admin\AppData\Local\Temp\0592f3c0aefd0c3a98c03e60a82f34b42aa819cba01e807ea5483f51e1ca95a1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Chalazogamic=cat 'C:\Users\Admin\AppData\Local\Temp\Landsforrderes\Seminaked.sun';$thickeners=$Chalazogamic.substring(35603,3);.$thickeners($Chalazogamic)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2748
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Landsforrderes\Herlighedsvrdierne.Aff

Filesize
331KB

MD5
f6f49b51507910f76d701de5db2aa07d

SHA1
f505e29b7b1cd5a11b22f75843cbb1d72d4b3d2c

SHA256
58d85dd76ddcc6da09c19d5282d0e4cae90e867e6f97e30784bfb77139d05993

SHA512
e1e0534b2fed62343dfb047e448f683dfec36e91c9ce64e3cfabb182e5521f9fc97536cffe2a4029cf1f71c2772efb4051e8c46ac4823a05ba3472e54682d962

Download Submit
C:\Users\Admin\AppData\Local\Temp\Landsforrderes\Seminaked.sun

Filesize
79KB

MD5
ffb7ae398316f789c2672e3fd468b16d

SHA1
ad6db0479fc7463d6e1516afb2aace1f4d8504b9

SHA256
41c742e2f1b4bca42df28606dd55ea9a056b549b46a25b7cfaddb1974db2a238

SHA512
48fddf98988c2adfbf65a91ee93248021cfdf676d75258c945a3ab06e5b836241337425f019d19593123ab50bf2bb8b55b16b785f7479bea01bd04ba152b9afb

Download Submit
memory/2516-19-0x0000000000900000-0x0000000001962000-memory.dmp

Filesize
16.4MB

Download
memory/2648-10-0x0000000073EA1000-0x0000000073EA2000-memory.dmp

Filesize
4KB

Download
memory/2648-11-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-13-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-12-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-14-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download
memory/2648-17-0x0000000006570000-0x000000000A986000-memory.dmp

Filesize
68.1MB

Download
memory/2648-18-0x0000000073EA0000-0x000000007444B000-memory.dmp

Filesize
5.7MB

Download