Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2024 14:03

General

  • Target

    Sprawl.exe

  • Size

    859KB

  • MD5

    47fd98348b7d314e4e9dae46e5f1e1a1

  • SHA1

    cafe48404707e61235bfbe6646d8072af4298e21

  • SHA256

    125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1

  • SHA512

    8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a

  • SSDEEP

    12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sprawl.exe
    "C:\Users\Admin\AppData\Local\Temp\Sprawl.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    c786fdc8d6b86c034144cb0426006ed0

    SHA1

    3dd58853ae13bd815aab6345f594b9d195b94aec

    SHA256

    e8d5e62ebac31c0e075babafd2db24d407139eb3edb2da515f214a0e690d6b68

    SHA512

    ae403bc3408a8ed4feeaa1c9a26c455519ae50c88acde47eab20f6ad959a09e485dce915d731abadb5b5f0a96e315fcb9082dac73d5a99037953cf11882b9ba9

  • memory/2932-9-0x0000000074381000-0x0000000074382000-memory.dmp

    Filesize

    4KB

  • memory/2932-15-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB

  • memory/2932-16-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB

  • memory/2932-17-0x0000000074380000-0x000000007492B000-memory.dmp

    Filesize

    5.7MB