3cdd3b2ac55254a7b3e741c8d168c5caf558e22752195424437a97e1543117f3

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO Tournefortian2453525525235235623425523235.exe
Size

855KB
MD5

d332bcaa3c61494b774f49bf3e716c21
SHA1

8cdfa60c6b3f25c7d48753e50c298b746c3386de
SHA256

d61208c85ce83c279dd87495f0dfc1cf5c345d2bf3a6e739279dcf188e19b21d
SHA512

40a405252934e0ece7e24514bf041674c84559d94f0791183c77268e154387ac8c452838237c33f55434a3eb04c8f47e818f9d7172cc5295ef9af86e92f80942
SSDEEP

12288:R3IpD7+TUoYhjjPDU6dK7UVEnNH8nUg1EbV3O9XqOqLI4VpStZB:R3IUwHhjjPVdK7UVEp8nU6C2qOaUB

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2516	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO Tournefortian2453525525235235623425523235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2516	2360	PO Tournefortian2453525525235235623425523235.exe	30
PID 2360 wrote to memory of 2516	2360	PO Tournefortian2453525525235235623425523235.exe	30
PID 2360 wrote to memory of 2516	2360	PO Tournefortian2453525525235235623425523235.exe	30
PID 2360 wrote to memory of 2516	2360	PO Tournefortian2453525525235235623425523235.exe	30

C:\Users\Admin\AppData\Local\Temp\PO Tournefortian2453525525235235623425523235.exe
"C:\Users\Admin\AppData\Local\Temp\PO Tournefortian2453525525235235623425523235.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\Admin\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\efterplaprernes\Shakya\memorized\Biteless96.Arb16

Filesize
353KB

MD5
bd9481dfba36e80e3106b60bde4e13d4

SHA1
a313dba340750e640cb618f6e867c9b1760c3ae3

SHA256
cc344f3ac0c321e5ef6178667b2639ee83331acd77a77d2d9792f00590e24c5b

SHA512
f1f418b79a6f24a062cf6710ec801cadad5faa826f393bec9b90e91ffe6e44e2c06a4ca3101ff3b69be9fe1442b0b4ed1a57c2ffa0fd6ba5fc3b94ceca14e363

Download Submit
C:\Users\Admin\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr

Filesize
50KB

MD5
29746f3c54388a9f4917e4be34f35b22

SHA1
1c8099ced377bccba4f56b6e946993bd3f9e8174

SHA256
4caa1d9b0c1a2a8c5b4357ed868a0b15caab2769ef85d72448a602e55de57358

SHA512
a02df71e19afb0e790b5cd28fb2cc0622236aa3f30ca52d02b73028985df4b4560eeb91fdca54b80df23114751dc121348c1d18db61a053d36c7fbe3d0b2af40

Download Submit
memory/2516-10-0x0000000073611000-0x0000000073612000-memory.dmp

Filesize
4KB

Download
memory/2516-11-0x0000000073610000-0x0000000073BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-12-0x0000000073610000-0x0000000073BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-13-0x0000000073610000-0x0000000073BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-14-0x0000000073610000-0x0000000073BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-17-0x0000000073610000-0x0000000073BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-19-0x0000000073610000-0x0000000073BBB000-memory.dmp

Filesize
5.7MB

Download
memory/2516-20-0x0000000006570000-0x00000000095F2000-memory.dmp

Filesize
48.5MB

Download
memory/2516-21-0x0000000073610000-0x0000000073BBB000-memory.dmp

Filesize
5.7MB

Download