24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea.exe
Size

883KB
MD5

f9d9aeb51076e4bd92d48f9aed428f73
SHA1

0d09bb2239f9931f4b43978df66f917491c585ff
SHA256

24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea
SHA512

c7dc2446dab255de136ea40851ed9595447ccc098dcfdafd18bb36f331312d33c3d0578ef1efbc563f7b44484f9f3d175f7838b151aacfa262bdd85efd25e575
SSDEEP

24576:33WbOu88u2R7ET7SDR3CaHouNH6K8Yx1Lm:33Wyu852GTUYaI6aRY/m

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4976	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	4976	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4976	5016	24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea.exe	87
PID 5016 wrote to memory of 4976	5016	24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea.exe	87
PID 5016 wrote to memory of 4976	5016	24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea.exe	87

C:\Users\Admin\AppData\Local\Temp\24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea.exe
"C:\Users\Admin\AppData\Local\Temp\24924df6e5f906dc670ba961f6988681536b9dc540d38c3ccbec44ddf3aa4eea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden " $Hvorunder=cat 'C:\Users\Admin\AppData\Local\forfrdelige\begyndervanskelighederne\Styrbart.Udd32';$Ladet=$Hvorunder.substring(79396,3);.$Ladet($Hvorunder)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 2776
    3⤵
    - Program crash
    PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4976 -ip 4976
1⤵
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_np5pvivq.2fs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\forfrdelige\begyndervanskelighederne\Styrbart.Udd32

Filesize
77KB

MD5
c967dc6ba909ec0d35aad8d3efe9b465

SHA1
c8f79c72565e4a37c7776722c66acdd4c7351376

SHA256
c4c4975be1638c2835feccda60c614f43ad6c2a7307f9b8767ac5ef7fff871b9

SHA512
f2ee67693ac9ac5f0735f0069c77693ed31e919afdacf8ce70a36dbed20ec729e499a092662d078875100ca9b3ea53aeae8a5aa765eecda7a528c77f15ac9428

Download Submit
memory/4976-17-0x0000000073410000-0x0000000073BC0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-32-0x0000000006300000-0x000000000634C000-memory.dmp

Filesize
304KB

Download
memory/4976-13-0x000000007341E000-0x000000007341F000-memory.dmp

Filesize
4KB

Download
memory/4976-18-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/4976-20-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/4976-19-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/4976-15-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/4976-30-0x0000000005D10000-0x0000000006064000-memory.dmp

Filesize
3.3MB

Download
memory/4976-31-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/4976-16-0x0000000073410000-0x0000000073BC0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-33-0x0000000007260000-0x00000000072F6000-memory.dmp

Filesize
600KB

Download
memory/4976-34-0x0000000006800000-0x000000000681A000-memory.dmp

Filesize
104KB

Download
memory/4976-35-0x0000000006850000-0x0000000006872000-memory.dmp

Filesize
136KB

Download
memory/4976-36-0x0000000007930000-0x0000000007ED4000-memory.dmp

Filesize
5.6MB

Download
memory/4976-14-0x0000000002CE0000-0x0000000002D16000-memory.dmp

Filesize
216KB

Download
memory/4976-38-0x0000000008560000-0x0000000008BDA000-memory.dmp

Filesize
6.5MB

Download
memory/4976-40-0x0000000073410000-0x0000000073BC0000-memory.dmp

Filesize
7.7MB

Download