Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
Package status.exe
Resource
win7-20240508-en
General
-
Target
Package status.exe
-
Size
810KB
-
MD5
f7f038db9cf8b30eedadbd0e1bd06475
-
SHA1
183a7e4912252c912340580478a756449d420c18
-
SHA256
1c4bde8818c2caac1ea5d08697561d52e4f977a31f648ef55fe54f13efe572e1
-
SHA512
43ce6cce5d06b7317b524689610b9154ffb2d7b16a55328321b19eb4baba9fb793f46e6d4e2ca582cfa5c5b7d7627e59cbd1860169efa31f4eadae3155322d1e
-
SSDEEP
12288:NX8AAopS5s7Prs1K9qjmF7UC5xkd56/iS3xwWaoSOs9BOvLcajeUoZe3xn7dhLO3:18N56/iS3Dao55LTue3xn7d3sCDPa7l
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 2 IoCs
Processes:
powershell.exeBiseksualiteten.exepid Process 2824 powershell.exe 2808 Biseksualiteten.exe -
Drops file in System32 directory 1 IoCs
Processes:
Package status.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\kobberbrylluppers.dis Package status.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeBiseksualiteten.exepid Process 2824 powershell.exe 2808 Biseksualiteten.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid Process procid_target PID 2824 set thread context of 2808 2824 powershell.exe 32 -
Drops file in Windows directory 1 IoCs
Processes:
Package status.exedescription ioc Process File opened for modification C:\Windows\resources\0409\Protoplasmaet.ini Package status.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000e00000001227e-18.dat nsis_installer_1 behavioral1/files/0x000e00000001227e-18.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid Process 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid Process 2824 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2824 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Package status.exepowershell.exedescription pid Process procid_target PID 2220 wrote to memory of 2824 2220 Package status.exe 28 PID 2220 wrote to memory of 2824 2220 Package status.exe 28 PID 2220 wrote to memory of 2824 2220 Package status.exe 28 PID 2220 wrote to memory of 2824 2220 Package status.exe 28 PID 2824 wrote to memory of 2724 2824 powershell.exe 30 PID 2824 wrote to memory of 2724 2824 powershell.exe 30 PID 2824 wrote to memory of 2724 2824 powershell.exe 30 PID 2824 wrote to memory of 2724 2824 powershell.exe 30 PID 2824 wrote to memory of 2808 2824 powershell.exe 32 PID 2824 wrote to memory of 2808 2824 powershell.exe 32 PID 2824 wrote to memory of 2808 2824 powershell.exe 32 PID 2824 wrote to memory of 2808 2824 powershell.exe 32 PID 2824 wrote to memory of 2808 2824 powershell.exe 32 PID 2824 wrote to memory of 2808 2824 powershell.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Package status.exe"C:\Users\Admin\AppData\Local\Temp\Package status.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$corabecan=Get-Content 'C:\Users\Admin\AppData\Local\gannetry\Hjelmkldtes\Antesunrise.Ski';$kitningers=$corabecan.SubString(12628,3);.$kitningers($corabecan)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\Biseksualiteten.exe"C:\Users\Admin\AppData\Local\Temp\Biseksualiteten.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD595c71503bc640705b0973b75d1249e2b
SHA144a3114402114ed571c9920eebf2a2c938c7e9c3
SHA2569c8314a2876644dff91652aefd829835e8700d7cd00d4a2f24173c29f9532dae
SHA5124512060a616f79bfaa62c3837a2ae68f798f1bb54d63e037b432b79a720fba3fb0c9b48409f22473ff63a7a21a37eb6e119f9eaa05521d40b7bfb771b66e4808
-
Filesize
314KB
MD521282b210d55b15aa4083674e5b769eb
SHA1425367906b18c625a6d6182c42ed67ece27b5262
SHA256410339e0545e9ee17cf941a8f41b371917495b0811b0b4796c259710a83671c2
SHA512c6dae5cb93db9ec7b7f125c38e0a95887c9a3e9344d7da046162f08184e9bedae80fe18c6aea2dd98c36b6cd27726d189d341426fbda0ce3f05c58a09cd7e67e
-
Filesize
810KB
MD5f7f038db9cf8b30eedadbd0e1bd06475
SHA1183a7e4912252c912340580478a756449d420c18
SHA2561c4bde8818c2caac1ea5d08697561d52e4f977a31f648ef55fe54f13efe572e1
SHA51243ce6cce5d06b7317b524689610b9154ffb2d7b16a55328321b19eb4baba9fb793f46e6d4e2ca582cfa5c5b7d7627e59cbd1860169efa31f4eadae3155322d1e