Resubmissions

09-07-2024 08:24

240709-kayyraxdja 10

09-07-2024 08:05

240709-jy18catfpk 8

09-07-2024 08:03

240709-jxzywstfln 10

09-07-2024 07:56

240709-js4raawenc 10

09-07-2024 07:46

240709-jl1faatarm 10

09-07-2024 07:38

240709-jgh1fawajg 8

Analysis

  • max time kernel
    190s
  • max time network
    196s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-07-2024 07:38

General

  • Target

    batterie daahindenes.exe

  • Size

    398KB

  • MD5

    b1c35e78f5d588430c4f534479def9f2

  • SHA1

    f787dd3327ca04361935f74867f76f16821db99f

  • SHA256

    4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7

  • SHA512

    5f78e6794ae313f5ca96c33fe0ecf0c882a18a93caa54bf92823ac42c5c753b6a98d4c77618de2b62cbc9d24e6e500272e4ffa7b25afff20b7e8349fc278a66c

  • SSDEEP

    12288:9GkmNVhJhqnfP30YhNia+nv4tQD3W/P19QY:9GkmPh7qfPrsQeD3W/bd

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\batterie daahindenes.exe
    "C:\Users\Admin\AppData\Local\Temp\batterie daahindenes.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 2748
        3⤵
        • Program crash
        PID:7384
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:7504
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:7724

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkcyohkh.ew2.ps1

      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid

      Filesize

      68KB

      MD5

      d89dac6d6bcfb431c31bdf7d21f48fbd

      SHA1

      2f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9

      SHA256

      ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b

      SHA512

      76eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070

    • memory/4892-21-0x0000000007CE0000-0x0000000007CFC000-memory.dmp

      Filesize

      112KB

    • memory/4892-13-0x0000000073370000-0x0000000073A5E000-memory.dmp

      Filesize

      6.9MB

    • memory/4892-15-0x0000000007490000-0x00000000074B2000-memory.dmp

      Filesize

      136KB

    • memory/4892-16-0x0000000007BB0000-0x0000000007C16000-memory.dmp

      Filesize

      408KB

    • memory/4892-17-0x0000000007E00000-0x0000000007E66000-memory.dmp

      Filesize

      408KB

    • memory/4892-18-0x0000000007E70000-0x00000000081C0000-memory.dmp

      Filesize

      3.3MB

    • memory/4892-9-0x000000007337E000-0x000000007337F000-memory.dmp

      Filesize

      4KB

    • memory/4892-22-0x0000000008740000-0x000000000878B000-memory.dmp

      Filesize

      300KB

    • memory/4892-23-0x0000000008540000-0x00000000085B6000-memory.dmp

      Filesize

      472KB

    • memory/4892-14-0x0000000007580000-0x0000000007BA8000-memory.dmp

      Filesize

      6.2MB

    • memory/4892-38-0x00000000095E0000-0x0000000009674000-memory.dmp

      Filesize

      592KB

    • memory/4892-39-0x0000000009350000-0x000000000936A000-memory.dmp

      Filesize

      104KB

    • memory/4892-40-0x00000000093A0000-0x00000000093C2000-memory.dmp

      Filesize

      136KB

    • memory/4892-41-0x0000000009C50000-0x000000000A14E000-memory.dmp

      Filesize

      5.0MB

    • memory/4892-12-0x0000000004A20000-0x0000000004A56000-memory.dmp

      Filesize

      216KB

    • memory/4892-47-0x000000000A7D0000-0x000000000AE48000-memory.dmp

      Filesize

      6.5MB

    • memory/4892-14053-0x0000000073370000-0x0000000073A5E000-memory.dmp

      Filesize

      6.9MB