Overview

overview

10

Static

static

3

c8ef778ff1...95.exe

windows7-x64

10

c8ef778ff1...95.exe

windows10-2004-x64

8

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    42s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8ef778ff1e9493aecd06b7be81c033356d288235494e6ae5d67bd0cc6789195.exe

  • Size

    457KB

  • MD5

    92a71af74ad52bd6968c86a1197df7d5

  • SHA1

    da3afefc08de0fa9b4b6c2742c927d6703fdae0c

  • SHA256

    c8ef778ff1e9493aecd06b7be81c033356d288235494e6ae5d67bd0cc6789195

  • SHA512

    706482562653c189027a0d53d34ea8fc8ebf85528c96c05b4651f0a08665db94666edd078f799bbc5e2753428e2f9fe3dddd223150e856e23d34fdd0e3fe88fd

  • SSDEEP

    6144:coShfU3osnd2J4v8KJIRySSDbnybCiRG26b5hiVLaf3Uz9YP3WImQK+9OIT8CCvP:Fqgowd2JY8NRPE7yvRAQVLafPP3jfLkP

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8ef778ff1e9493aecd06b7be81c033356d288235494e6ae5d67bd0cc6789195.exe
    "C:\Users\Admin\AppData\Local\Temp\c8ef778ff1e9493aecd06b7be81c033356d288235494e6ae5d67bd0cc6789195.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Lovkrav=Get-Content 'C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Radioaktivest.Sup';$Exorable=$Lovkrav.SubString(70678,3);.$Exorable($Lovkrav)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1120
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 2264
        3⤵
        • Program crash
        PID:3816
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1120 -ip 1120
    1⤵
      PID:1488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zicpzbzb.j0o.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsz5228.tmp\Banner.dll
      Filesize

      4KB

      MD5

      843657eaf7240b695624dcf38bb0eb31

      SHA1

      ca99a44e737fdeaab56f864ce1ef15a57d2eec90

      SHA256

      b935d14c32ad8e16055f7f5794ac3411e601c5ac93155afc623f25b08e2ab82e

      SHA512

      7773d9f6bbd17253d1c96ce225b2f9d3673969b38177afef236d1c5d4aabaae2c07793e07c34f0281ec3b859ae955e83bfe43a598ce7cc6c893ec8c9604f5de3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsz5228.tmp\BgImage.dll
      Filesize

      7KB

      MD5

      a98576f0d6b35b466cb881860977fdbc

      SHA1

      28b3dbbd76f15c876b98dce523100aa3256d193a

      SHA256

      6cc4aadae46ee3e7f39b411ba087ec29bc10aa62b6b5b44003c934b3c51cefe2

      SHA512

      29225bfb30e72d7d3d3571e7562b5901dbf2382af1972cc9a2be8e3bef697b9ac9e0aaac3a9bca191da827ad3cfce7f6876e8be9444663e83a7e2e86788a733c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsz5228.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      2c84faebfda2abe3b16fdf374df4272f

      SHA1

      a5b0258a94e0440aefe1ef320e62e7a9a1c8bb40

      SHA256

      72b38e4cca0af336655d55501c4ea05080baaa9921a62a2d717afe90bb801004

      SHA512

      207164cc6914c59d9f4f3b8ae97628c544093ba6ecda9f8da351f453cd97e03be7a640264b8686b2d5e6f3c787f4df1d8a1ebc8e51fd788a97460cd981cc015e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\overmandede\Metran\menubilledet\Radioaktivest.Sup
      Filesize

      69KB

      MD5

      e2606a0ced1b1b771a63e507bef6548d

      SHA1

      72c055984e5a4f43c4ed6c8020d37938afb6fa4a

      SHA256

      368a7423c1c873ee451b227795beb591e3b5d213ce98809de54957525b46e1fc

      SHA512

      1e4dee9bf06edbf2fefd3dfd28d72fc4ee4d878e0bba2cc125a2487b6085ecc8154a1630ca7e444618fcb20106c9292f8ed39bf0786cdd5241a198fe56b25091

      Download Submit

    • memory/1120-32-0x00000000735A0000-0x0000000073D50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1120-45-0x00000000067B0000-0x00000000067FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1120-30-0x0000000005250000-0x0000000005272000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1120-33-0x0000000005B90000-0x0000000005BF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1120-29-0x00000000735A0000-0x0000000073D50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1120-27-0x0000000002C30000-0x0000000002C66000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1120-31-0x0000000005B20000-0x0000000005B86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1120-43-0x0000000005C00000-0x0000000005F54000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1120-44-0x00000000061F0000-0x000000000620E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1120-28-0x00000000052C0000-0x00000000058E8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1120-48-0x00000000073D0000-0x00000000073F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1120-47-0x00000000072E0000-0x00000000072FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1120-46-0x0000000007330000-0x00000000073C6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1120-49-0x00000000079B0000-0x0000000007F54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1120-26-0x00000000735AE000-0x00000000735AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1120-51-0x00000000085E0000-0x0000000008C5A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1120-53-0x00000000735A0000-0x0000000073D50000-memory.dmp

      Filesize

      7.7MB

      Download