Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 01:48
Static task
static1
Behavioral task
behavioral1
Sample
c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
Resource
win10v2004-20240508-en
General
-
Target
c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
-
Size
597KB
-
MD5
01fcb8fb62b7bcf6fa81e765d0c3f571
-
SHA1
2fb9a233ba5c4ec26c275b10300b2e5b57baa435
-
SHA256
c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba
-
SHA512
059f448f4db5e4ca667bc2a7fec0f45705aa9217bdb0bce701670df75cb29739cea2cdd4f1123cd6ff8d164d8552448b28def00c88ae1ff850f8cca0667230ec
-
SSDEEP
12288:1oGrkbKNHKTGwvqXsIkkTLlrvK94BPbSGgW:1oGIbIHKT7vCgk3lLu61n
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2904 powershell.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bores.lnk c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File created C:\Windows\SysWOW64\Pentose.lnk c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File opened for modification C:\Windows\SysWOW64\Pentose.lnk c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File opened for modification C:\Windows\SysWOW64\playgoers.sep c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File created C:\Windows\SysWOW64\bores.lnk c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Vaginismus.ini c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File opened for modification C:\Program Files (x86)\Common Files\nvningedomstol\arbejdskommando.sto c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File opened for modification C:\Program Files (x86)\Common Files\Pygopagus172\matthfus.ala c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File opened for modification C:\Program Files (x86)\Common Files\lnstigningsmnstre\Ccny.sta c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\yer.ini c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File opened for modification C:\Windows\truthlessly\Stablish.ini c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File opened for modification C:\Windows\resources\0409\ejerlst.uns c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe File opened for modification C:\Windows\resources\fysiurg\Cheesecutter.ini c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 664 2904 WerFault.exe 81 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2904 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3660 wrote to memory of 2904 3660 c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe 81 PID 3660 wrote to memory of 2904 3660 c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe 81 PID 3660 wrote to memory of 2904 3660 c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe 81 PID 2904 wrote to memory of 3480 2904 powershell.exe 83 PID 2904 wrote to memory of 3480 2904 powershell.exe 83 PID 2904 wrote to memory of 3480 2904 powershell.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe"C:\Users\Admin\AppData\Local\Temp\c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Gelpjen=Get-Content 'C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Usmmeligheds.Tro';$Anigonus=$Gelpjen.SubString(51086,3);.$Anigonus($Gelpjen)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:3480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 26403⤵
- Program crash
PID:664
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2904 -ip 29041⤵PID:2216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
49KB
MD5effee95945c050b65310d4e05a17d897
SHA1663db609ae44ccf619242830ca0b6fd20ec481f8
SHA2566439dc73d1ce981c431de40f0a01210c6c14e202bf02c5b2047db7bcf2cca9a6
SHA512bcadab2333af674c6cefdcd3ae0b87016a77fb7908c5b80326ec372642c46f67548623263a889a645945c1bb1e8f0035b199abe461709ab84128e2af7c3a6db2
-
Filesize
1KB
MD5cb2819ceb47f59dce96ed438d1b63ff8
SHA115882c50a86484d1c218e1b686e9f942782083d8
SHA256cd80cd102aa6a8bf79497f6b57eabbf2d43cd1fdf49559a807a94db22dc47850
SHA5127651632764cc86f16862163a48f6b09f14b0da094b1fbfb796ffc46ea1cc37420483e9f88b6fde4b490742ba5b5b4822e07c9bea13d0233e83ce58d427b0188a
-
Filesize
38B
MD5e58f8a2dcf15a626bc785906a24d269a
SHA1451f8692070432dbd0232c61631cb49874323fd7
SHA25639b313e3f6e503de2657691e96235891834d12dab42957e62aea1c588c35bc83
SHA5127c33aec2758c72eb727f156ca5946626409a1b2ad22a980801436acacac1bf05eac231a2a0cc2858d369a54cbfa3cafdbd449ce696bf6c8fcecfb53699a75bd3