Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Udlaanslofterne/Incuss.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Udlaanslofterne/Incuss.ps1
Resource
win10v2004-20241007-en
General
-
Target
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
-
Size
859KB
-
MD5
de02502f79bc183714a9dfe879831170
-
SHA1
c1fd975e0df663fd49e86ae1453d0ad3eccacea8
-
SHA256
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718
-
SHA512
c921e2e02ed0969ad66ae503e3cc83d0e2a3c3d6d43814c8b31c3b8606cde77e6f39c9a4b41088c0718b182a84dc29cae5f609dff872e98dcd00ef28c58b6415
-
SSDEEP
12288:l9LVa31WR5y/seQ/33WcLvfLn/ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0maD:/D5y/+/vfD/+alCJmvulW6Nd0vD
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 1516 powershell.exe 2880 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1516 powershell.exe 2880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exedescription pid process target process PID 804 wrote to memory of 1516 804 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 804 wrote to memory of 1516 804 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 804 wrote to memory of 1516 804 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 804 wrote to memory of 1516 804 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 804 wrote to memory of 2880 804 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 804 wrote to memory of 2880 804 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 804 wrote to memory of 2880 804 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 804 wrote to memory of 2880 804 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe"C:\Users\Admin\AppData\Local\Temp\9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5777a7dcac92eec986eaf0ac0c5022e43
SHA1dcee28c8ba00a786025e770a7750a46e98851a71
SHA256c70b746a9c00e03baed8c6e69c1d48173af067815bac8aa8d3dcd9f8f0959efd
SHA512bfee2d6b9193d10db56ef28204e5e137185e7a5c80fb17fc3bd5f90aa09f7ddadb38624e336785b09b698944a4eed315b1a726ebeb9b4108a7e483c11e89153e