91688e46b195ea7475b0caedb2b18613342883cbd29886628ef12a76f621e988

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ödeme Onayı Kopyası.exe
Size

921KB
MD5

d2c7ccf7ade1dd9cfe1fdbd518a13f6e
SHA1

d230fd8d0794cd3515c5bc95f1d2fcd16b0e4fb3
SHA256

91688e46b195ea7475b0caedb2b18613342883cbd29886628ef12a76f621e988
SHA512

f145c8426b5c4bf8d43fc20fea6fc481670e0006de84c70b2b2865c5fb83abb2cb0a58a44860c44ef2321778528fe3b9c2e931bc248e3fb4ebc6ec68a2928ce0
SSDEEP

24576:0wIC9jSMMMMMHLMMMMMMMMMMMMMo4H4I96u45SObZoo3c5lESaUnrRbzIWW:hIC9jSMMMMMHLMMMMMMMMMMMMMFsFdbx

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	powershell.exe
2512	Spartlerne.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2376	powershell.exe
2512	Spartlerne.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 2512	2376	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2376	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2376	2240	Ödeme Onayı Kopyası.exe	28
PID 2240 wrote to memory of 2376	2240	Ödeme Onayı Kopyası.exe	28
PID 2240 wrote to memory of 2376	2240	Ödeme Onayı Kopyası.exe	28
PID 2240 wrote to memory of 2376	2240	Ödeme Onayı Kopyası.exe	28
PID 2376 wrote to memory of 2724	2376	powershell.exe	30
PID 2376 wrote to memory of 2724	2376	powershell.exe	30
PID 2376 wrote to memory of 2724	2376	powershell.exe	30
PID 2376 wrote to memory of 2724	2376	powershell.exe	30
PID 2376 wrote to memory of 2512	2376	powershell.exe	32
PID 2376 wrote to memory of 2512	2376	powershell.exe	32
PID 2376 wrote to memory of 2512	2376	powershell.exe	32
PID 2376 wrote to memory of 2512	2376	powershell.exe	32
PID 2376 wrote to memory of 2512	2376	powershell.exe	32
PID 2376 wrote to memory of 2512	2376	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı Kopyası.exe
"C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı Kopyası.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Forfear=Get-Content 'C:\Users\Admin\AppData\Roaming\paeony\deputising\Genfremsttelserne\Troostite.Sto';$Befordrende=$Forfear.SubString(52427,3);.$Befordrende($Forfear)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\Spartlerne.exe
    "C:\Users\Admin\AppData\Local\Temp\Spartlerne.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8782ed82dae2b5a02856f6444bbc81bf

SHA1
ab67e65371fbcbfd5de736a00f322459f436b263

SHA256
d60a2f2f716d110ba950fde48fa80bd702b1cb2fa16a638d1f14d1e3ba060663

SHA512
09fd32f334361bcc7d3e574cfd5b6fbdca6f6187f32346320af02a1e01485938c6d20a0222ecee3eee1062878e06c421ce51e19df4c93f53b267cda0712ff616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
61bcca26ddc7118c43ef7e0e215a841f

SHA1
ea6e9b4244db248abfd66c5e3a16aecf696ecf07

SHA256
770017ba10ffe73dce34f8b406175ae0affd9b330ed9fdc0b859313d83b40b22

SHA512
75ef96ab2e41f0203b354145f40ca9bc3d6fb4bc454a1562454dc51d7dec98d1eb31cf9698a0e7ecf2ed26b88004f622dc06bc38458fe22129257541008fd187

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6406.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\paeony\deputising\Genfremsttelserne\Limphault.Lua

Filesize
303KB

MD5
fc51a276aac990c1700b4bef8228069f

SHA1
b89cea0209bc5da8059d99cadd2bc5291bd10255

SHA256
c85877026d4ad9b18d5652de7829b33db2c0e58c6db4542958a6bad6ff8e9102

SHA512
9684283e5740ef8c6b063863a8cf31145054f29d3120f76143c0834294378df003accda4f71137703895e42036545b3e8d7f72807bdc8bd27103355f1ada626d

Download Submit
C:\Users\Admin\AppData\Roaming\paeony\deputising\Genfremsttelserne\Troostite.Sto

Filesize
51KB

MD5
6d0539739ac2c229575a711d1f335aa8

SHA1
f851e7c908e948eb23981295cf0103252a4c603e

SHA256
86a0e8229fbaa2d7856856d035b91c2629c235f093b779464043ba1d2ac5e6e5

SHA512
2f73f409fe6528a629cfb53feecfa41ef090b77bb9ab3cde2310cea6e10d3c3905ead6d50c2ffcc788ad3abd0e2412c07c01cfc47895e436e0bc8ab03b468eeb

Download Submit
\Users\Admin\AppData\Local\Temp\Spartlerne.exe

Filesize
921KB

MD5
d2c7ccf7ade1dd9cfe1fdbd518a13f6e

SHA1
d230fd8d0794cd3515c5bc95f1d2fcd16b0e4fb3

SHA256
91688e46b195ea7475b0caedb2b18613342883cbd29886628ef12a76f621e988

SHA512
f145c8426b5c4bf8d43fc20fea6fc481670e0006de84c70b2b2865c5fb83abb2cb0a58a44860c44ef2321778528fe3b9c2e931bc248e3fb4ebc6ec68a2928ce0

Download Submit
memory/2376-21-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-8-0x0000000073781000-0x0000000073782000-memory.dmp

Filesize
4KB

Download
memory/2376-16-0x0000000006740000-0x0000000009A09000-memory.dmp

Filesize
50.8MB

Download
memory/2376-12-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-11-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-10-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2376-9-0x0000000073780000-0x0000000073D2B000-memory.dmp

Filesize
5.7MB

Download
memory/2512-84-0x00000000004D0000-0x0000000001532000-memory.dmp

Filesize
16.4MB

Download