Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
Documenti di spedizione 0000876666000.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Documenti di spedizione 0000876666000.exe
Resource
win10v2004-20240802-en
General
-
Target
Documenti di spedizione 0000876666000.exe
-
Size
743KB
-
MD5
7c558f240d951c19ae299c88ca87c458
-
SHA1
25b8293ef1cff55fa4688d3cedeaada888eea471
-
SHA256
85c28df1f833c2212643df5ff0601cb4a203c113065d79fa2be73c150fe5678c
-
SHA512
b460cfed71e8ecfb5e75476e014e387bfa38240ab3fd571d914513666c2dec58783d83a40aa51540ca92300227ddd5d3356259cef3d9d9625bcdee95a6961977
-
SSDEEP
12288:nXJaAf3gv3zDtlZcqY18aAV0uyBXGuhteUX3whlQj27xpbcbXDKzJ:5aO3gvjs8JV0uyBeUXFOvbcPKF
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1152 Documenti di spedizione 0000876666000.exe -
pid Process 2768 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Documenti di spedizione 0000876666000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2768 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2768 1152 Documenti di spedizione 0000876666000.exe 31 PID 1152 wrote to memory of 2768 1152 Documenti di spedizione 0000876666000.exe 31 PID 1152 wrote to memory of 2768 1152 Documenti di spedizione 0000876666000.exe 31 PID 1152 wrote to memory of 2768 1152 Documenti di spedizione 0000876666000.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documenti di spedizione 0000876666000.exe"C:\Users\Admin\AppData\Local\Temp\Documenti di spedizione 0000876666000.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Pluffy=Get-Content 'C:\Users\Admin\AppData\Roaming\Fastlggende246\Foundlings.Fri';$Perspektivplanlgning=$Pluffy.SubString(53622,3);.$Perspektivplanlgning($Pluffy)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD57f4a854abf13869f8b0f3c8952a1d4b0
SHA141c1dc531094abb81e5c37a04e7b88da14dd3980
SHA256971b9daea9ad21621ac81776c13fdd899979ab920fed44c9066a41f60b961a4c
SHA512df775a146adb801659bfec3921cf66975c8fa1425c66081ac168dc6294151d4a05c0c478d3d86fb445176bc7e775bd0165e8900d4354783ecdb9fab58a612dbe