a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00.exe
Size

449KB
MD5

beb96fe830b527dd78a7fd6df2ccc872
SHA1

92000419333f50c8a04b7032c9a19064f795f1bf
SHA256

a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00
SHA512

9880cff64d5a22c031ad5ce5a3f8b8312775505138a277405fd002b48bd0dba0a164633a8ea4b8f290ec85729f83fe182fa59430a5fca5099d2c7294cccf509d
SSDEEP

12288:YxMc9yE9yhHSfx7M3iN0LBSvbRan99j+:ZVE9yExNN0LBqQnrS

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2928	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2928	2720	a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00.exe	30
PID 2720 wrote to memory of 2928	2720	a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00.exe	30
PID 2720 wrote to memory of 2928	2720	a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00.exe	30
PID 2720 wrote to memory of 2928	2720	a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00.exe	30

C:\Users\Admin\AppData\Local\Temp\a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00.exe
"C:\Users\Admin\AppData\Local\Temp\a60aa556ef02b72ffd7cbd8e178b4f979e09c6789cbed4be2bfaab99ac357f00.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Skandinaviensrejses=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Atomraketter\Recruital.Ove';$Saunders84=$Skandinaviensrejses.SubString(55339,3);.$Saunders84($Skandinaviensrejses)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Atomraketter\Recruital.Ove

Filesize
54KB

MD5
6b9dad72a738a0b038be6da60d7c8e60

SHA1
737c008f3741466a2e81385034d39919ac153ac2

SHA256
5de795cc8b31a7c7adfdd968583580b70d7a383abf91fecc00eec403c8e33d15

SHA512
f9ee685c19a80eb70534bc1119b804ea7ff9d81e76f45443b7e96ba7caf80ff75ad1a659c5ba490f8271fa19f198794f181ad11d0be234a7392a2fc63325385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Atomraketter\Sooths.Gop

Filesize
346KB

MD5
54bfa0f81839e1df37fedc8f8e11160c

SHA1
f945d274c0f388955105d0039fe2618668cdee70

SHA256
9d2dfe77a657d9308eb1198750702670f8115654533542a80a9d1d12bb848561

SHA512
8e2ed4d25547b9bf29d9fb943220fc236b33ac100528a7a50683e2d49c274dd798852b1ef78eca6637d6b3ac9abb2d80b28c9e4248c5f3b005ee6090f9da91c0

Download Submit
memory/2928-10-0x00000000740B1000-0x00000000740B2000-memory.dmp

Filesize
4KB

Download
memory/2928-12-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-11-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-15-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-17-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-19-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-18-0x0000000006630000-0x0000000009742000-memory.dmp

Filesize
49.1MB

Download