Overview

overview

10

Static

static

1

4.exe

windows7-x64

10

4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4.exe

  • Size

    614KB

  • MD5

    3ac5f1a33978d9865ed6715edd2c39d7

  • SHA1

    fe38fb821fcf060ba720e464767e3599f3c41b78

  • SHA256

    d5c6d98bf546829a6232e4b7598da24cacc20b41e2db0f63a1e918983464d1f8

  • SHA512

    9a2eded115fe49ef4788106c315b0056bdb42068d9d686479a0d6f19d7371a430ba218be811f1b182512302a61144bb019e3701c8be8434926ab08ad2f08b3b2

  • SSDEEP

    12288:CBIJsQMaH82xY/BikO20xRDFTcsLgwuOCC:rJsQMu8Ub5DwC

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Gruppeforsikring=Get-Content 'C:\Users\Admin\AppData\Roaming\Palaeodictyopteron\testudskrivningsfaciliteters\Marinerede\Stempleres247.Mon';$Heglings=$Gruppeforsikring.SubString(55531,3);.$Heglings($Gruppeforsikring)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 2320
        3⤵
        • Program crash
        PID:2120
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4672 -ip 4672
    1⤵
      PID:4036

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0rojju4p.lru.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Palaeodictyopteron\testudskrivningsfaciliteters\Marinerede\Stempleres247.Mon
      Filesize

      54KB

      MD5

      a917039d788bd601c5fd0ab7b7cbeacb

      SHA1

      a6895bd93930bb841fdd15586d1d190fbfaaa8e3

      SHA256

      1fb7a6884eab4bfd6122aa31769b241413f1f2bd89f509e1552efb69b2601291

      SHA512

      e20ad8dd9cfc818ccd37651d997dd071d6a41942af9d2f5e85d67852692c6a21f1892324bd5a4b2e8b9fa9d4c17e5d76b1e2b243cf9c291608415943e46cf47c

      Download Submit

    • memory/4672-21-0x00000000054C0000-0x0000000005814000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4672-22-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4672-9-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4672-10-0x00000000053E0000-0x0000000005446000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4672-11-0x0000000005450000-0x00000000054B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4672-8-0x0000000004DB0000-0x00000000053D8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4672-5-0x000000007444E000-0x000000007444F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4672-7-0x0000000074440000-0x0000000074BF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4672-23-0x0000000005B40000-0x0000000005B8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4672-24-0x0000000006A60000-0x0000000006AF6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4672-25-0x0000000005FB0000-0x0000000005FCA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4672-26-0x0000000006000000-0x0000000006022000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4672-27-0x00000000070B0000-0x0000000007654000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4672-6-0x0000000002160000-0x0000000002196000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4672-29-0x0000000007CE0000-0x000000000835A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4672-31-0x0000000074440000-0x0000000074BF0000-memory.dmp

      Filesize

      7.7MB

      Download