Overview
overview
10Static
static
3b8f925e583...58.iso
windows7-x64
3b8f925e583...58.iso
windows10-2004-x64
3out.iso
windows7-x64
1out.iso
windows10-2004-x64
1Documenti ...00.exe
windows7-x64
7Documenti ...00.exe
windows10-2004-x64
10$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PROGRAMFI...er.txt
windows7-x64
1$PROGRAMFI...er.txt
windows10-2004-x64
1$PROGRAMFI...es.fol
windows7-x64
3$PROGRAMFI...es.fol
windows10-2004-x64
3$PROGRAMFI...ae.ele
windows7-x64
3$PROGRAMFI...ae.ele
windows10-2004-x64
3$PROGRAMFI...er.knu
windows7-x64
3$PROGRAMFI...er.knu
windows10-2004-x64
3Forskelsst...er.und
windows7-x64
3Forskelsst...er.und
windows10-2004-x64
3Forskelsst...es.all
windows7-x64
3Forskelsst...es.all
windows10-2004-x64
3Forskelsst...qr.soc
windows7-x64
3Forskelsst...qr.soc
windows10-2004-x64
3Forskelsst...ne.bal
windows7-x64
3Forskelsst...ne.bal
windows10-2004-x64
3Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
b8f925e583f322b25392ce1adb1387982f3263ea03e7b4ad82b707a5f11bab58.iso
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b8f925e583f322b25392ce1adb1387982f3263ea03e7b4ad82b707a5f11bab58.iso
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
out.iso
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
out.iso
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
Documenti di spedizione 000199938848500.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Documenti di spedizione 000199938848500.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PROGRAMFILES/staalarbejders/Citronsafter.txt
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PROGRAMFILES/staalarbejders/Citronsafter.txt
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PROGRAMFILES/staalarbejders/Evalueringsrutines.fol
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PROGRAMFILES/staalarbejders/Evalueringsrutines.fol
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$PROGRAMFILES/staalarbejders/Hydropterideae.ele
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
$PROGRAMFILES/staalarbejders/Hydropterideae.ele
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$PROGRAMFILES/staalarbejders/Telefonbger.knu
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PROGRAMFILES/staalarbejders/Telefonbger.knu
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Forskelsstempledes/Helgener.und
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Forskelsstempledes/Helgener.und
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Forskelsstempledes/blodserumernes.all
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
Forskelsstempledes/blodserumernes.all
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Forskelsstempledes/echapppqr.soc
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Forskelsstempledes/echapppqr.soc
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
Forskelsstempledes/primaterne.bal
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
Forskelsstempledes/primaterne.bal
Resource
win10v2004-20240802-en
General
-
Target
$PROGRAMFILES/staalarbejders/Telefonbger.knu
-
Size
52KB
-
MD5
5044e84bc1ae30a8ab16fc6211ceb5ff
-
SHA1
0668bfbb7c58a9b787ab2a1e174d99db070dcd7a
-
SHA256
a5e07e1ed61b4a6b6378610f6c8c5a46c61f713d1bb041aeba18ee044056b5a6
-
SHA512
2a757b88c4794712db072966366b1122fe19317a20986f543b14fb5fcc956faa83e5079f71057a2cf7a591abd1897799e0d90b5bab21be5f28878607596e164e
-
SSDEEP
1536:YCuvtDh6dKLvRFfRW65RfIPZ9on8MPbqpR:YCuNh6GvXJlQXAqpR
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\knu_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\knu_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.knu\ = "knu_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\knu_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.knu rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\knu_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\knu_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\knu_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2520 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2520 AcroRd32.exe 2520 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2724 2736 cmd.exe 29 PID 2736 wrote to memory of 2724 2736 cmd.exe 29 PID 2736 wrote to memory of 2724 2736 cmd.exe 29 PID 2724 wrote to memory of 2520 2724 rundll32.exe 30 PID 2724 wrote to memory of 2520 2724 rundll32.exe 30 PID 2724 wrote to memory of 2520 2724 rundll32.exe 30 PID 2724 wrote to memory of 2520 2724 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\staalarbejders\Telefonbger.knu1⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\staalarbejders\Telefonbger.knu2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\staalarbejders\Telefonbger.knu"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2520
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50276ce3b10a14c2a702b554fc43e4425
SHA18d40d68a980a11c95e76ccb03ee5ae19ea7c9173
SHA2560a4a00531f0b45beddcedc4f930dd5b371bbd4ca7b4f0e2998bcdc08f290e107
SHA512fba9ea16f7c7e62476e053568a1751dcf12e146f644c6f37ecd64b22d80ca39eaeee4f170cd7432af5a1ba272f32149969ea3f21d3588dad16c291862d1f90a7