Overview

overview

10

Static

static

3

9f40759902...92.exe

windows7-x64

7

9f40759902...92.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-09-2024 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f40759902174555ab1294eb92ae2d17ad2698d2e0e68694edbb9684bdab7692.exe

  • Size

    1.0MB

  • MD5

    94c700b33fb2a1aa2bd02f13750cca75

  • SHA1

    abe3abd4f60778dfa694a8fc54b9d1037a248132

  • SHA256

    9f40759902174555ab1294eb92ae2d17ad2698d2e0e68694edbb9684bdab7692

  • SHA512

    b1962793a313490385ce265763a05585abf1793336ffbbb853fc64b6807e35ec98b28daebe147f98bb901a804ce88bc930c33b7938f31b51b9c9a0c258decc5a

  • SSDEEP

    12288:5faWYFsj2FYoIAyPn4/SLfP2Udh1rtZJi3l/zSL6WKuwpbt+jBL/nepC:ldeXi4/42Up5KV/zSOWlabAjNnKC

Score
7/10
discoveryexecution

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f40759902174555ab1294eb92ae2d17ad2698d2e0e68694edbb9684bdab7692.exe
    "C:\Users\Admin\AppData\Local\Temp\9f40759902174555ab1294eb92ae2d17ad2698d2e0e68694edbb9684bdab7692.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$Mahjongg=Get-Content 'C:\Users\Admin\AppData\Roaming\chondriosome\retskrivningssystemer\Laccolitic51.Suk151';$Chefen128=$Mahjongg.SubString(11975,3);.$Chefen128($Mahjongg)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nso4E7F.tmp\nsExec.dll
    Filesize

    7KB

    MD5

    5d63878da0cda0b331e80e43e3d3c2fa

    SHA1

    749b02a5bceb2d1f8a912dfaf40fe8c3b082bf58

    SHA256

    21eb98aa735fc4b4072e670a78f1e5802b3d3c950bef72e32f573dd514ac7f18

    SHA512

    240ccbd96bbf5d4608778b91ab14b73b20771fff3763e8df04a9df83f5371d4ada64b5b6cc262626927ee1c13fc0d98bfaaa0332786c0af588a4c24924575ed1

    Download Submit

  • memory/1584-16-0x0000000073E41000-0x0000000073E42000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1584-17-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1584-18-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1584-19-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1584-20-0x0000000073E40000-0x00000000743EB000-memory.dmp

    Filesize

    5.7MB

    Download