Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 10:26

General

  • Target

    Documenti di spedizione 0000876666000.exe

  • Size

    743KB

  • MD5

    7c558f240d951c19ae299c88ca87c458

  • SHA1

    25b8293ef1cff55fa4688d3cedeaada888eea471

  • SHA256

    85c28df1f833c2212643df5ff0601cb4a203c113065d79fa2be73c150fe5678c

  • SHA512

    b460cfed71e8ecfb5e75476e014e387bfa38240ab3fd571d914513666c2dec58783d83a40aa51540ca92300227ddd5d3356259cef3d9d9625bcdee95a6961977

  • SSDEEP

    12288:nXJaAf3gv3zDtlZcqY18aAV0uyBXGuhteUX3whlQj27xpbcbXDKzJ:5aO3gvjs8JV0uyBeUXFOvbcPKF

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documenti di spedizione 0000876666000.exe
    "C:\Users\Admin\AppData\Local\Temp\Documenti di spedizione 0000876666000.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$Pluffy=Get-Content 'C:\Users\Admin\AppData\Roaming\Fastlggende246\Foundlings.Fri';$Perspektivplanlgning=$Pluffy.SubString(53622,3);.$Perspektivplanlgning($Pluffy)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nstE4D5.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    7f4a854abf13869f8b0f3c8952a1d4b0

    SHA1

    41c1dc531094abb81e5c37a04e7b88da14dd3980

    SHA256

    971b9daea9ad21621ac81776c13fdd899979ab920fed44c9066a41f60b961a4c

    SHA512

    df775a146adb801659bfec3921cf66975c8fa1425c66081ac168dc6294151d4a05c0c478d3d86fb445176bc7e775bd0165e8900d4354783ecdb9fab58a612dbe

  • memory/2768-13-0x0000000073641000-0x0000000073642000-memory.dmp

    Filesize

    4KB

  • memory/2768-14-0x0000000073640000-0x0000000073BEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2768-15-0x0000000073640000-0x0000000073BEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2768-16-0x0000000073640000-0x0000000073BEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2768-17-0x0000000073640000-0x0000000073BEB000-memory.dmp

    Filesize

    5.7MB

  • memory/2768-18-0x0000000073640000-0x0000000073BEB000-memory.dmp

    Filesize

    5.7MB