Overview

overview

10

Static

static

3

SOLICITUD ...TA.exe

windows7-x64

8

SOLICITUD ...TA.exe

windows10-2004-x64

10

mnstring/c...ay.ps1

windows7-x64

3

mnstring/c...ay.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOLICITUD DE OFERTA.exe

  • Size

    1.2MB

  • MD5

    390f59bff9b8ae12634dabde225597a6

  • SHA1

    9f75d22f6a64e93432fc2f4556a346a70f3e766a

  • SHA256

    8b8937667354563a0742b19df2a43b3a780f6990996522ef97c6354e83a07f49

  • SHA512

    b736203f5c08d35df51c4f357d47c163af77b871ec96a58da67405bfb8d5d2c2a4961a0cf8f444d40364c063561f6ececc952da5861c9b5b81bdc91844876f5f

  • SSDEEP

    24576:voqqHmQ2mlKnSKkdyp/aYchYX2LeQObyCNHlJ7CU1GAb1NXou/ys:voZmQ7kSX1YchBNO+IbV1GAZWu/R

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA.exe
    "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE OFERTA.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Saltato=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\mnstring\countersway.Udm';$Drivankret=$Saltato.SubString(9822,3);.$Drivankret($Saltato)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Saltato=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\carinal\Coracosteon\mnstring\countersway.Udm';$Drivankret=$Saltato.SubString(9822,3);.$Drivankret($Saltato)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    1381484021bc4bba5db5d048859b8f05

    SHA1

    25f173360c2621d074b8e193b8f318851f4fbd1b

    SHA256

    8df62134e735c181f28aab15a203108cbddbe494a70cef76d5429bd874d90c14

    SHA512

    a77a017437f03491544935bc288d3b5a83b1b6d2ced06eaea6b4f41977f598f30bf3642fbe6eee69c2cd2ce9b307e50fa3670111c153016a26c2038c1b916fe9

    Download Submit