Analysis

  • max time kernel
    121s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 01:37

General

  • Target

    9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe

  • Size

    859KB

  • MD5

    de02502f79bc183714a9dfe879831170

  • SHA1

    c1fd975e0df663fd49e86ae1453d0ad3eccacea8

  • SHA256

    9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718

  • SHA512

    c921e2e02ed0969ad66ae503e3cc83d0e2a3c3d6d43814c8b31c3b8606cde77e6f39c9a4b41088c0718b182a84dc29cae5f609dff872e98dcd00ef28c58b6415

  • SSDEEP

    12288:l9LVa31WR5y/seQ/33WcLvfLn/ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0maD:/D5y/+/vfD/+alCJmvulW6Nd0vD

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
    "C:\Users\Admin\AppData\Local\Temp\9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    777a7dcac92eec986eaf0ac0c5022e43

    SHA1

    dcee28c8ba00a786025e770a7750a46e98851a71

    SHA256

    c70b746a9c00e03baed8c6e69c1d48173af067815bac8aa8d3dcd9f8f0959efd

    SHA512

    bfee2d6b9193d10db56ef28204e5e137185e7a5c80fb17fc3bd5f90aa09f7ddadb38624e336785b09b698944a4eed315b1a726ebeb9b4108a7e483c11e89153e

  • memory/1516-9-0x0000000073B11000-0x0000000073B12000-memory.dmp

    Filesize

    4KB

  • memory/1516-10-0x0000000073B10000-0x00000000740BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1516-11-0x0000000073B10000-0x00000000740BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1516-12-0x0000000073B10000-0x00000000740BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1516-18-0x0000000073B10000-0x00000000740BB000-memory.dmp

    Filesize

    5.7MB