Overview

overview

8

Static

static

3

dd2d5f3f85...4f.exe

windows7-x64

8

dd2d5f3f85...4f.exe

windows10-2004-x64

8

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    91s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 01:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dd2d5f3f85924ec11cbd69da21bd0b25c5c8034aad3d9490c96e39f20b966d4f.exe

  • Size

    804KB

  • MD5

    cd7b7957361fccb2ca14ca9f418d84dd

  • SHA1

    fc26816adb2539b4994cece2d8fb64cb597e93e2

  • SHA256

    dd2d5f3f85924ec11cbd69da21bd0b25c5c8034aad3d9490c96e39f20b966d4f

  • SHA512

    d1ce9d1000e9000e1fd22455f90ed4f5f145a3796085855d78d6f9dd5359fde9cf23829665102487096ca7297189a31a498345e232846a5085b78470f29ff254

  • SSDEEP

    12288:nY4e3nd13Ic3+qGBIhP8PBujhleocbosx8:je3nYcudZPojhl5c0c8

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd2d5f3f85924ec11cbd69da21bd0b25c5c8034aad3d9490c96e39f20b966d4f.exe
    "C:\Users\Admin\AppData\Local\Temp\dd2d5f3f85924ec11cbd69da21bd0b25c5c8034aad3d9490c96e39f20b966d4f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$butyne=Get-Content 'C:\Users\Admin\AppData\Roaming\askefllesgrave\restsaldos\ferskenblde\Jactitating.Kol';$Decanting=$butyne.SubString(54826,3);.$Decanting($butyne)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:3532
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 2640
          3⤵
          • Program crash
          PID:4308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 4232
      1⤵
        PID:4952

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0lullfn0.vds.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsj5218.tmp\BgImage.dll
              Filesize

              7KB

              MD5

              ee255bdf426349e1caa8f1b71de9fd22

              SHA1

              d589773826620046df1d77dd148f819a88dd35ec

              SHA256

              a45f294137e2b0f6092eee8fdd2e19334f34ff3640d865a810b70f2104e92c21

              SHA512

              71eeb41b5816b7d0f9517264aaf026da878561b6a222064c8100e47c383de9ac369800b734468322f3a6fc3eedb1a23d3c5ca6874bd7bf84af08f395248872cc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsj5218.tmp\nsDialogs.dll
              Filesize

              9KB

              MD5

              dbdbf4017ff91c9de328697b5fd2e10a

              SHA1

              b597a5e9a8a0b252770933feed51169b5060a09f

              SHA256

              be60a00f32924ccbe03f9914e33b8e1ad8c8a1ca442263a69896efba74925b36

              SHA512

              3befc15aab0a5dbe7fde96155b0499d385f2799b1a2d47ce04f37b5804006b1c6c4fff93d3cedb56a2a8172b23752b6f9dc6168cfce3596b91def3247836cf10

              Download Submit

            • C:\Users\Admin\AppData\Roaming\askefllesgrave\restsaldos\ferskenblde\Jactitating.Kol
              Filesize

              53KB

              MD5

              1045c45ef66b1691177c61f20870664d

              SHA1

              0e0244e2d6bcd8b1550ad3cde850ee088faf6ffa

              SHA256

              fc7bd408efe714d9101d50e43be49fa2027513a9fdf4c2a0d0e6ab2a93c361fa

              SHA512

              fa62dc4f9d00ddb1690eb6d6ef8dabdfafcf56821205fb55fd1c244590570b278a151cbe7c10853d389d1b32acdd85fb07b146901219c95f60ae42fb1aa5a8ba

              Download Submit

            • memory/4232-32-0x0000000073580000-0x0000000073D30000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4232-47-0x0000000005E80000-0x0000000005E9E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4232-33-0x0000000073580000-0x0000000073D30000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4232-34-0x0000000004EE0000-0x0000000004F02000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4232-36-0x0000000005830000-0x0000000005896000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4232-35-0x00000000057C0000-0x0000000005826000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4232-30-0x00000000048F0000-0x0000000004926000-memory.dmp

              Filesize

              216KB

              Download

            • memory/4232-46-0x00000000058A0000-0x0000000005BF4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4232-48-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4232-31-0x0000000004F60000-0x0000000005588000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4232-51-0x0000000006FC0000-0x0000000006FE2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4232-50-0x0000000006F70000-0x0000000006F8A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4232-49-0x0000000006FF0000-0x0000000007086000-memory.dmp

              Filesize

              600KB

              Download

            • memory/4232-52-0x0000000007640000-0x0000000007BE4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4232-29-0x000000007358E000-0x000000007358F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4232-54-0x0000000008270000-0x00000000088EA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/4232-56-0x0000000073580000-0x0000000073D30000-memory.dmp

              Filesize

              7.7MB

              Download