Overview

overview

10

Static

static

3

Richiesta ...df.exe

windows7-x64

10

Richiesta ...df.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/07/2024, 15:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe

  • Size

    549KB

  • MD5

    a2a727c5efacf8ab6028c4524e21bef9

  • SHA1

    d3ea7079959667ad786a7142371f536feb537802

  • SHA256

    c293bf33914dcab819681869283b39b23b45fb608d42fa3a26562d301eab3746

  • SHA512

    822accf498440732a5df498558d33e9191a62b5b6386dbaec0784abb27c93865cb0dae15a43c99515f1c5cbb217151a80659b915a5b3c07a550a6d2b02bc8c20

  • SSDEEP

    12288:tLfCKKKKKI1KFeGkSrsUQ1nILHMEDm73l8a5+JS2rLaOvjKFDSLJPo7yF1mAm:tBEkQ1nILzClFiS2iYeNSZo26Am

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Richiesta Preventivo (ISGB) 7788EU - 0605ITA·pdf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Nervures=Get-Content 'C:\Users\Admin\AppData\Local\Bagtes\zygomata.Coo';$Omfangsbedmmelses64=$Nervures.SubString(24976,3);.$Omfangsbedmmelses64($Nervures)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 2220
        3⤵
        • Program crash
        PID:4960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1308 -ip 1308
    1⤵
      PID:4692

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Bagtes\zygomata.Coo
            Filesize

            68KB

            MD5

            e3a338313194482f28d8e74771889d09

            SHA1

            97ee237e38a3ef18a938334dec3a5aff1bffbcab

            SHA256

            e910d5f3afd1733a1824afc9a9dbb1c78529a2a5c63e24601038aa81241e9b7a

            SHA512

            301b208278db99007e10e9827d304fce475844239213e09f98054dd43e72891b84b6816b6bc58c1439df8ef7d74f9f8ef8ee1925736637c064e4481dc6baea6c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ym3dxgzd.djs.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/1308-19-0x0000000005700000-0x0000000005766000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1308-27-0x0000000005E40000-0x0000000005E8C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1308-12-0x00000000739A0000-0x0000000074150000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1308-13-0x0000000004EF0000-0x0000000004F12000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1308-10-0x00000000739A0000-0x0000000074150000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1308-20-0x0000000005770000-0x00000000057D6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1308-8-0x00000000739AE000-0x00000000739AF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1308-25-0x00000000057E0000-0x0000000005B34000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1308-26-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1308-11-0x0000000004F60000-0x0000000005588000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1308-28-0x0000000006D50000-0x0000000006DE6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/1308-30-0x0000000006320000-0x0000000006342000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1308-29-0x00000000062D0000-0x00000000062EA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1308-31-0x00000000073A0000-0x0000000007944000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1308-9-0x00000000047F0000-0x0000000004826000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1308-33-0x0000000007FD0000-0x000000000864A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/1308-35-0x00000000739A0000-0x0000000074150000-memory.dmp

            Filesize

            7.7MB

            Download