Overview

overview

8

Static

static

3

NFQ24-0420(R1).exe

windows7-x64

8

NFQ24-0420(R1).exe

windows10-2004-x64

8

cafeteaterets.dot

windows7-x64

1

cafeteaterets.dot

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-07-2024 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NFQ24-0420(R1).exe

  • Size

    422KB

  • MD5

    72f5d261c15af3b18c99b7121956e358

  • SHA1

    a3c152f7be3f808afec47c1b7a904e41fd399be0

  • SHA256

    5c48fc65228bbeca2ecfebfbe9cb28e5edec4c54c4f0d4adb982d7773752bd78

  • SHA512

    d126abc88ad7ba131de9b86b07dec2b5d516fe439705e23c725dc40add0d9d4399f8cc826795ee0fa1d702174100ab783fa6c462e13b5bc7ee68fa14e89fed51

  • SSDEEP

    12288:R0gxaoHhKpbm9nGm+6kwLyzPlFjwaFEs5KidrpHN8G:raeIsR2FjXxK8rb8G

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NFQ24-0420(R1).exe
    "C:\Users\Admin\AppData\Local\Temp\NFQ24-0420(R1).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Overflytternes=Get-Content 'C:\Users\Admin\AppData\Local\samplings\Fouriertransformeredes152\magmaens\Navet.Omi';$Std=$Overflytternes.SubString(4496,3);.$Std($Overflytternes)
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\samplings\Fouriertransformeredes152\magmaens\Navet.Omi
    Filesize

    68KB

    MD5

    2d5d8871b19f23d9e6defc1b5f30320c

    SHA1

    bd991d0b8e746c566e155328f4355e9c6b8ccb95

    SHA256

    d7bad07ee7791c8309be96b4e12f51a5bc4f88e4e9e3cf145548be9e5a8ad9ef

    SHA512

    5a79a7bc4c91014130688b544e3f50c8ee9c742987c1648b4eacc9ede7016b392d1bc2362aff54b1da7d7b54a0f2420d5929d7b6863b2b19cbd8d7fa92874959

    Download Submit

  • C:\Users\Admin\AppData\Local\samplings\Fouriertransformeredes152\magmaens\Pantheress.Mil
    Filesize

    340KB

    MD5

    2888e076e2411a4320b11f6945d6b8a2

    SHA1

    44f4bc484a0718c5d4715aa98cd2d632129f44c8

    SHA256

    e87429557cd7ceb4cffa8ba50612b092a525f27234406850a11b6203bdbc2d62

    SHA512

    4a78b6974230dbb1cec980d2bb8c78ad303dff7686fb3b4bd6e4675303c0a39423fc146c78c35ce24e3f6cafb21db4979f420c985d9ab9bab915d31e4a9975fc

    Download Submit

  • memory/1912-22-0x0000000000F40000-0x0000000001FA2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1916-10-0x0000000074461000-0x0000000074462000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-14-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1916-13-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1916-12-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1916-11-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1916-17-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1916-19-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1916-20-0x00000000065A0000-0x0000000009DD3000-memory.dmp

    Filesize

    56.2MB

    Download

  • memory/1916-21-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download