Overview

overview

8

Static

static

3

21a7f19500...86.exe

windows7-x64

8

21a7f19500...86.exe

windows10-1703-x64

8

21a7f19500...86.exe

windows10-2004-x64

8

21a7f19500...86.exe

windows11-21h2-x64

8

Resubmissions

10/07/2024, 19:23

240710-x3w13sxhqh 8

10/07/2024, 19:21

240710-x2ytaaxhma 10

Analysis

  • max time kernel
    79s
  • max time network
    82s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10/07/2024, 19:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe

  • Size

    488KB

  • MD5

    60b3d713550cd09b16181971027e0df5

  • SHA1

    b5ffb312af1ebc5afd7c7b839fcbd1abaece6503

  • SHA256

    21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86

  • SHA512

    125132cceeb9256b6b64fcaf263187c218ec483296a7ab6cc820cb9ab4e096d0f8c9e064167df67c8fdb91cc9622021374629b8c6795e5d76de3a0c4781c6cab

  • SSDEEP

    12288:R0NwzUrQ2sgRZFh/rRAgYBNL3bHGwkuDvU3BbG:fzSQ25NBONLLQLRC

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe
    "C:\Users\Admin\AppData\Local\Temp\21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Sludrebttes113=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Hormonbalance\Impoverishes.Skj';$Dissimileres198=$Sludrebttes113.SubString(59295,3);.$Dissimileres198($Sludrebttes113)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 2740
        3⤵
        • Program crash
        PID:27084

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_px3h13lz.ttp.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Users\Admin\AppData\Local\kilns\Unobtainably\Hormonbalance\Impoverishes.Skj
          Filesize

          71KB

          MD5

          3caa4ac857f4a0000da1b905a819ae72

          SHA1

          bc1bd3a4b5a1b37c1b213d05c9ed8c472a818949

          SHA256

          0d92f75f821620f9df25844a0b43c2be5763799f32a61c68f9baeeebe45560fc

          SHA512

          abe4ec64665c8bc701219fae130e25073a4c76a98dd36cb5dd29e1eefc5d7ceb40e3d0e37dc7d1b2d3d84c4e38437883c09a6523c0d3393730659b220aac8e83

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd6802.tmp\BgImage.dll
          Filesize

          7KB

          MD5

          521df745a41f0b8164ffd01717cacbba

          SHA1

          dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74

          SHA256

          dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b

          SHA512

          c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd6802.tmp\UserInfo.dll
          Filesize

          4KB

          MD5

          acbda33dd5700c122e2fe48e3d4351fd

          SHA1

          2c154baf7c64052ee712b7cdf9c36b7697dd3fc8

          SHA256

          943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0

          SHA512

          d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsd6802.tmp\nsDialogs.dll
          Filesize

          9KB

          MD5

          1c8b2b40c642e8b5a5b3ff102796fb37

          SHA1

          3245f55afac50f775eb53fd6d14abb7fe523393d

          SHA256

          8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

          SHA512

          4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

          Download Submit

        • memory/208-37-0x0000000007390000-0x00000000073AC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/208-39-0x0000000007B50000-0x0000000007BC6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/208-30-0x0000000072B90000-0x000000007327E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/208-31-0x0000000007310000-0x0000000007332000-memory.dmp

          Filesize

          136KB

          Download

        • memory/208-32-0x0000000006B20000-0x0000000006B86000-memory.dmp

          Filesize

          408KB

          Download

        • memory/208-33-0x00000000073B0000-0x0000000007416000-memory.dmp

          Filesize

          408KB

          Download

        • memory/208-34-0x0000000007500000-0x0000000007850000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/208-29-0x0000000006BE0000-0x0000000007208000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/208-38-0x0000000007E30000-0x0000000007E7B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/208-28-0x0000000072B90000-0x000000007327E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/208-27-0x0000000000FA0000-0x0000000000FD6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/208-54-0x0000000008C40000-0x0000000008CD4000-memory.dmp

          Filesize

          592KB

          Download

        • memory/208-55-0x00000000089A0000-0x00000000089BA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/208-56-0x00000000089F0000-0x0000000008A12000-memory.dmp

          Filesize

          136KB

          Download

        • memory/208-57-0x00000000092A0000-0x000000000979E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/208-24-0x0000000072B9E000-0x0000000072B9F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/208-63-0x0000000009E20000-0x000000000A498000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/208-13971-0x0000000072B9E000-0x0000000072B9F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/208-13972-0x0000000072B90000-0x000000007327E000-memory.dmp

          Filesize

          6.9MB

          Download