3cdd3b2ac55254a7b3e741c8d168c5caf558e22752195424437a97e1543117f3

General

Target

PO Tournefortian2453525525235235623425523235.exe
Size

855KB
MD5

d332bcaa3c61494b774f49bf3e716c21
SHA1

8cdfa60c6b3f25c7d48753e50c298b746c3386de
SHA256

d61208c85ce83c279dd87495f0dfc1cf5c345d2bf3a6e739279dcf188e19b21d
SHA512

40a405252934e0ece7e24514bf041674c84559d94f0791183c77268e154387ac8c452838237c33f55434a3eb04c8f47e818f9d7172cc5295ef9af86e92f80942
SSDEEP

12288:R3IpD7+TUoYhjjPDU6dK7UVEnNH8nUg1EbV3O9XqOqLI4VpStZB:R3IUwHhjjPVdK7UVEp8nU6C2qOaUB

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4488	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3300	4488	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PO Tournefortian2453525525235235623425523235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 4488	3852	PO Tournefortian2453525525235235623425523235.exe	85
PID 3852 wrote to memory of 4488	3852	PO Tournefortian2453525525235235623425523235.exe	85
PID 3852 wrote to memory of 4488	3852	PO Tournefortian2453525525235235623425523235.exe	85

C:\Users\Admin\AppData\Local\Temp\PO Tournefortian2453525525235235623425523235.exe
"C:\Users\Admin\AppData\Local\Temp\PO Tournefortian2453525525235235623425523235.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Typograferer=Get-Content 'C:\Users\Admin\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr';$Anskueliggjordes=$Typograferer.SubString(51945,3);.$Anskueliggjordes($Typograferer)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2684
    3⤵
    - Program crash
    PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4488 -ip 4488
1⤵
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvvkb2p2.34r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\efterplaprernes\Shakya\memorized\Heptandrous.Arr

Filesize
50KB

MD5
29746f3c54388a9f4917e4be34f35b22

SHA1
1c8099ced377bccba4f56b6e946993bd3f9e8174

SHA256
4caa1d9b0c1a2a8c5b4357ed868a0b15caab2769ef85d72448a602e55de57358

SHA512
a02df71e19afb0e790b5cd28fb2cc0622236aa3f30ca52d02b73028985df4b4560eeb91fdca54b80df23114751dc121348c1d18db61a053d36c7fbe3d0b2af40

Download Submit
memory/4488-14-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/4488-27-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/4488-11-0x0000000004B20000-0x0000000005148000-memory.dmp

Filesize
6.2MB

Download
memory/4488-13-0x0000000004A50000-0x0000000004A72000-memory.dmp

Filesize
136KB

Download
memory/4488-10-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-15-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/4488-8-0x0000000073E3E000-0x0000000073E3F000-memory.dmp

Filesize
4KB

Download
memory/4488-25-0x0000000005490000-0x00000000057E4000-memory.dmp

Filesize
3.3MB

Download
memory/4488-26-0x00000000059F0000-0x0000000005A0E000-memory.dmp

Filesize
120KB

Download
memory/4488-12-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-28-0x00000000069D0000-0x0000000006A66000-memory.dmp

Filesize
600KB

Download
memory/4488-29-0x0000000005F50000-0x0000000005F6A000-memory.dmp

Filesize
104KB

Download
memory/4488-30-0x0000000005FA0000-0x0000000005FC2000-memory.dmp

Filesize
136KB

Download
memory/4488-31-0x0000000007020000-0x00000000075C4000-memory.dmp

Filesize
5.6MB

Download
memory/4488-9-0x0000000004420000-0x0000000004456000-memory.dmp

Filesize
216KB

Download
memory/4488-33-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/4488-35-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing