Overview

overview

8

Static

static

3

e71554c078...fe.exe

windows7-x64

8

e71554c078...fe.exe

windows10-2004-x64

8

Dropsically254.js

windows7-x64

3

Dropsically254.js

windows10-2004-x64

3

Analysis

  • max time kernel
    92s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e71554c07825671158b13e8d3e82fe5b590175c0e7830fd508a397d665fd89fe.exe

  • Size

    595KB

  • MD5

    3db1d32e9c0c727a50e9348b01b46575

  • SHA1

    9a64e208359ef6449b4d0821f0bc51bd1caa4f13

  • SHA256

    e71554c07825671158b13e8d3e82fe5b590175c0e7830fd508a397d665fd89fe

  • SHA512

    855816384bd56d152127c8d58814bcdee94fe911654f676ba6a2346312e401aa22c9579a80f912cc2de2ec19b252311100d2e3f0fcbd3dedd4d14e7b33b8a053

  • SSDEEP

    12288:1oGrkkwxP6l1C92rT071MJLlk+WtpHo0vHWMAYYYJtia0E7+hF:1oGIDPaCYrToMJLlLWtS5DIJp

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e71554c07825671158b13e8d3e82fe5b590175c0e7830fd508a397d665fd89fe.exe
    "C:\Users\Admin\AppData\Local\Temp\e71554c07825671158b13e8d3e82fe5b590175c0e7830fd508a397d665fd89fe.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Fluebekmpelse79=Get-Content 'C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Dropsically254.Sus';$Readmission=$Fluebekmpelse79.SubString(52523,3);.$Readmission($Fluebekmpelse79)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:4508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 2720
          3⤵
          • Program crash
          PID:4364
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4908 -ip 4908
      1⤵
        PID:3984

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ie3xhguu.0h5.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Dropsically254.Sus
        Filesize

        51KB

        MD5

        edde9e024aca7c05acf5b3d33d22846b

        SHA1

        f97c556879785f3956d1e8f1f995204265ccec44

        SHA256

        2583c632eb6f9585bd39250b71a8902aa91ae1f23f2f68cfe468cb057dbc113e

        SHA512

        272d96b4696fa3b00d95434cc77df31a692a74c89d802145a59344b3c65805f4cc26482ea65fab150d2fb01e077b4cb7fbc643e1b4d934d0150c889b3e99e7ac

        Download Submit

      • C:\Windows\SysWOW64\bores.lnk
        Filesize

        1KB

        MD5

        132da40dd26e5296a71c899186908b3c

        SHA1

        18235cd67c81783cf24cc9169b81056af2549806

        SHA256

        723778810bf9758a17e8c989e4ab97f9b4106b16e6e13106f6c1eebff58a1637

        SHA512

        ad75339e2a212b51a56b89c18ed09a86f882f0291ba241a10891baca1e4959a6445b6960df0cf8827915e25e765f3bfd3fd8931dee4b33be5f4447699fd2f0e3

        Download Submit

      • C:\Windows\yer.ini
        Filesize

        38B

        MD5

        e58f8a2dcf15a626bc785906a24d269a

        SHA1

        451f8692070432dbd0232c61631cb49874323fd7

        SHA256

        39b313e3f6e503de2657691e96235891834d12dab42957e62aea1c588c35bc83

        SHA512

        7c33aec2758c72eb727f156ca5946626409a1b2ad22a980801436acacac1bf05eac231a2a0cc2858d369a54cbfa3cafdbd449ce696bf6c8fcecfb53699a75bd3

        Download Submit

      • memory/4908-107-0x0000000005A20000-0x0000000005D74000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4908-108-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4908-68-0x0000000005180000-0x00000000057A8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4908-67-0x0000000074170000-0x0000000074920000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4908-92-0x00000000059B0000-0x0000000005A16000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4908-89-0x0000000005940000-0x00000000059A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4908-66-0x0000000004A10000-0x0000000004A46000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4908-74-0x0000000005860000-0x0000000005882000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4908-109-0x0000000006000000-0x000000000604C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4908-110-0x0000000006F80000-0x0000000007016000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4908-111-0x0000000006500000-0x000000000651A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4908-112-0x0000000006520000-0x0000000006542000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4908-113-0x00000000076D0000-0x0000000007C74000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4908-65-0x000000007417E000-0x000000007417F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4908-115-0x0000000008300000-0x000000000897A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4908-116-0x0000000074170000-0x0000000074920000-memory.dmp

        Filesize

        7.7MB

        Download