53805ebc2b9eb59587ee7baeb45de6df203dbba25913de393026f4c14f0f5487

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG88957937579577593957937593756295Jimpy.exe
Size

445KB
MD5

d3593f7e5a555a84fea5d70412463a0a
SHA1

1614572890ef26f28f3b7c9f04ba7e6eb06587d9
SHA256

53805ebc2b9eb59587ee7baeb45de6df203dbba25913de393026f4c14f0f5487
SHA512

4fbeab30dbe08a82480d21ee69b8ee0e92656c96f30eec84b0967373bb22f86310dc61421c02cd10689485eaea3ddad5173e77b7b0be3ff4a6752fb407c605f8
SSDEEP

6144:Cg1KQjoauKpc9yUm6WCWmr3lBQdbpBnHUqS6tJF4ZO7kLUaULIU+JB3zj9torp1s:YxMc9yUmHmrEdX0gtJFcopIFBjjc+

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG88957937579577593957937593756295Jimpy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2832	2976	IMG88957937579577593957937593756295Jimpy.exe	30
PID 2976 wrote to memory of 2832	2976	IMG88957937579577593957937593756295Jimpy.exe	30
PID 2976 wrote to memory of 2832	2976	IMG88957937579577593957937593756295Jimpy.exe	30
PID 2976 wrote to memory of 2832	2976	IMG88957937579577593957937593756295Jimpy.exe	30

C:\Users\Admin\AppData\Local\Temp\IMG88957937579577593957937593756295Jimpy.exe
"C:\Users\Admin\AppData\Local\Temp\IMG88957937579577593957937593756295Jimpy.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Planta=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Atomraketter\Antihysteric.Ing';$Donnick=$Planta.SubString(58063,3);.$Donnick($Planta)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Atomraketter\Antihysteric.Ing

Filesize
56KB

MD5
05feec34f8951c4a66d9c1fc1815c309

SHA1
25cbe83a1a0dc2527b0f14828325d78283420147

SHA256
736c2ce0c3ec68af645c2e002900e1495685d43377cb8ef023d1d7d8b23fa0f4

SHA512
ec01cbcd363cdc64d37a4d9dc84341fe10e8c8084213244bb1c261521a63c5a10951e4fc06a32b31440016c8c9d9124854e73baf0c24f7c21e20ede9c82238df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Atomraketter\Dirigentstokkene.Kar

Filesize
325KB

MD5
7c4da3249dd31bedbcd1882de8c9d5ac

SHA1
971dd3ca5eb74dbb9461f8d6ca1128033f7226da

SHA256
e31c7db58fb91930922336d41bcf8e5a9faa16fb2112e5e703260705960ccb05

SHA512
bd0dd3466cd33f029716020b9aaa3b904dc58eef303b396ce567cfe02f10eabc1e5433e4905b6304dd8a79c5fd0025bb2a4a15b2e116590f1d0673be0aaff7a9

Download Submit
memory/2832-10-0x0000000073D41000-0x0000000073D42000-memory.dmp

Filesize
4KB

Download
memory/2832-11-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-12-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-13-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-14-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-17-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-19-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-20-0x0000000006500000-0x0000000009DB0000-memory.dmp

Filesize
56.7MB

Download
memory/2832-21-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download