066af6eb6c8fbb5b95e3b08811d64c3421734ad4a7cabd5cdafd996f46a5014c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMGNarudžbenaCom45batan433523572345235235ts.exe
Size

900KB
MD5

daa5dbd6b9251157b1309f9ad11a5844
SHA1

a16a150c84f2835dab24cce05727c4c5ffe6852f
SHA256

7ecad71d8959532c157260b37eb56d28ff819b70b16034a467cef6327024a806
SHA512

43cdc736ea7babe27765b6bdf32eb13189a392990b7cd2c2a611675a8b217a49deac4f3595cdc7c0460ee7a3eb508a0c51e295b8357030981e4ad4f92b4075ea
SSDEEP

12288:7KQqt6ga1nGHXK24N3YrggCgXJ+EP5dDEmsopm3gImdvDjS0yBJg4aHMEf3PscmT:G891GHkgCsJ+EPq3gPdLu/azf3KT

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2560	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\ledning.god	IMGNarudžbenaCom45batan433523572345235235ts.exe
File opened for modification	C:\Program Files (x86)\Common Files\sygebesgene.out	IMGNarudžbenaCom45batan433523572345235235ts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMGNarudžbenaCom45batan433523572345235235ts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2560	2572	IMGNarudžbenaCom45batan433523572345235235ts.exe	30
PID 2572 wrote to memory of 2560	2572	IMGNarudžbenaCom45batan433523572345235235ts.exe	30
PID 2572 wrote to memory of 2560	2572	IMGNarudžbenaCom45batan433523572345235235ts.exe	30
PID 2572 wrote to memory of 2560	2572	IMGNarudžbenaCom45batan433523572345235235ts.exe	30

C:\Users\Admin\AppData\Local\Temp\IMGNarudžbenaCom45batan433523572345235235ts.exe
"C:\Users\Admin\AppData\Local\Temp\IMGNarudžbenaCom45batan433523572345235235ts.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Quinaldyl=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Louk\percha\Tasterutinen.nat';$Bisamer=$Quinaldyl.SubString(55602,3);.$Bisamer($Quinaldyl)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Louk\percha\Tasterutinen.nat

Filesize
54KB

MD5
108c81a0ded88c932a3b2c47e32c25f9

SHA1
8f30f3d1803831107e03961710b509b5836a68ae

SHA256
0c26f123a4dc4bcfb9bc6347ab9d76d941947fe7b2e1857a66d7cd8d8ffb5c17

SHA512
900a6ce3e4766f452b9c8cb42a37efed55ccf25b9647c32440b214c0b5610f9115007487fedccbd5305ab7b51d24c9434cd92bd7d294b17c91c459e3b5ad164f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Louk\percha\Trskemaskinerne.Cos

Filesize
346KB

MD5
202ed494cc9d9f8ac0a76a79fd9eb7e6

SHA1
ea097803f29b812ae7f502811d4a60a3d3571f2b

SHA256
858b8952b71eff750a6a63a7541870d623ed9bb957c8e0b08dcf20ca65168b57

SHA512
de34ef0ba6eb815bce54fd1100e0b5abe7ddde712077f9b7b93f73d48b803c5d0c9bd120716b50b07d739c9d586e3384580233c611691e9f2ab6275eea25c7d1

Download Submit
memory/2560-7-0x00000000741E1000-0x00000000741E2000-memory.dmp

Filesize
4KB

Download
memory/2560-8-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-9-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-10-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-13-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-15-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-17-0x00000000741E0000-0x000000007478B000-memory.dmp

Filesize
5.7MB

Download
memory/2560-16-0x0000000006610000-0x00000000096C5000-memory.dmp

Filesize
48.7MB

Download