Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
MSK872314.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
MSK872314.exe
Resource
win10v2004-20240508-en
General
-
Target
MSK872314.exe
-
Size
630KB
-
MD5
397c71ddf48527dc363407c2dc6382fd
-
SHA1
8d309abbd3842e15778dad790e3bb36371060eab
-
SHA256
fd2ed2817b36ad04fda64c952b1a38e9a4cee86a247d0a7e9dfea5bab81b2e82
-
SHA512
a5b4bf00e115c99a2433ebf7f91ea7fc12e6c5a6f06d049d89b9027b29bba769ec51d3ace6a1671595d685db7e74e458cb75e39fe8c1abb9533ae19d0c308a46
-
SSDEEP
12288:jgSUrka1W50Dt/RtlieB6TxOL0w83/ImkT4bdxrVZ4PBiFeAUVABi+ksSj:hfaQ50DljNNow83gkbTBSYUK/ksSj
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Drops file in Program Files directory 2 IoCs
Processes:
MSK872314.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini MSK872314.exe File opened for modification C:\Program Files (x86)\Common Files\boltholes.obl MSK872314.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4692 4300 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepid process 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe 4300 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4300 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
MSK872314.exepowershell.exedescription pid process target process PID 2312 wrote to memory of 4300 2312 MSK872314.exe powershell.exe PID 2312 wrote to memory of 4300 2312 MSK872314.exe powershell.exe PID 2312 wrote to memory of 4300 2312 MSK872314.exe powershell.exe PID 4300 wrote to memory of 648 4300 powershell.exe cmd.exe PID 4300 wrote to memory of 648 4300 powershell.exe cmd.exe PID 4300 wrote to memory of 648 4300 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MSK872314.exe"C:\Users\Admin\AppData\Local\Temp\MSK872314.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Forretningsforbindelserne=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Insider\Pigout.Smr';$Sheetwise=$Forretningsforbindelserne.SubString(50997,3);.$Sheetwise($Forretningsforbindelserne)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 22803⤵
- Program crash
PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4300 -ip 43001⤵PID:1140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3976,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:81⤵PID:3292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD55b666f06cc1e9de33f4f56e415241506
SHA18253f4854a516d91f9ac7189d108cfe2822f5a2b
SHA2569c121e08561368b3fabba2fef46f73a398fd27b54ae7a9b511d1e782cd50dfef
SHA512e2f444a080037474a69ecdff6545638a0a173a3e7230046f4e0a3b659511516806d13c406267d570d7b2006d7e9efbb91b8fbc02996d9ee31ffa801b5e7027f9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82