Analysis
-
max time kernel
239s -
max time network
240s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
PAGO FRAS. AGOSTO 2024..exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
PAGO FRAS. AGOSTO 2024..exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Vesperkost.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Vesperkost.ps1
Resource
win10v2004-20241007-en
General
-
Target
PAGO FRAS. AGOSTO 2024..exe
-
Size
900KB
-
MD5
d2bb55d90b4fe13d981297c8f452e810
-
SHA1
e35c73e93bef613a1aa1cb7707b8cde2489df897
-
SHA256
a286c68d65f2582414caf8229aeaba8365d7b84de92c5da4c39b7482136b5271
-
SHA512
875819a87d64cee9a3d9f4e9afb84adca711d72d7b8a5b3837cd22abff017e57434b8a0de7502118e2a16aaada2d3ab4d89a3cc8db0207d22278ae6046ef4547
-
SSDEEP
24576:obu96/xtr62ldmWFZD6lm7Pytae6/B1Gl:vC3tmKZgm7OjGB1Gl
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2904 powershell.exe 376 powershell.exe -
Drops file in Windows directory 4 IoCs
Processes:
PAGO FRAS. AGOSTO 2024..exedescription ioc process File opened for modification C:\Windows\resources\0409\diaspidine.Inq PAGO FRAS. AGOSTO 2024..exe File opened for modification C:\Windows\resources\Nebengeschfter.ini PAGO FRAS. AGOSTO 2024..exe File opened for modification C:\Windows\resources\0409\gildes.lak PAGO FRAS. AGOSTO 2024..exe File opened for modification C:\Windows\Fonts\thyrididae.ini PAGO FRAS. AGOSTO 2024..exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exePAGO FRAS. AGOSTO 2024..exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAGO FRAS. AGOSTO 2024..exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2904 powershell.exe 376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 376 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PAGO FRAS. AGOSTO 2024..exedescription pid process target process PID 1464 wrote to memory of 2904 1464 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1464 wrote to memory of 2904 1464 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1464 wrote to memory of 2904 1464 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1464 wrote to memory of 2904 1464 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1464 wrote to memory of 376 1464 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1464 wrote to memory of 376 1464 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1464 wrote to memory of 376 1464 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1464 wrote to memory of 376 1464 PAGO FRAS. AGOSTO 2024..exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAGO FRAS. AGOSTO 2024..exe"C:\Users\Admin\AppData\Local\Temp\PAGO FRAS. AGOSTO 2024..exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Brankedes=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Vesperkost.Ufo';$Udskibningshavnene=$Brankedes.SubString(28086,3);.$Udskibningshavnene($Brankedes)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Brankedes=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Vesperkost.Ufo';$Udskibningshavnene=$Brankedes.SubString(28086,3);.$Udskibningshavnene($Brankedes)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
803B
MD547027ef7e3a1709e131ffb08a50b6be2
SHA11516a214287a748dd3e02d73d8373a0baeddf352
SHA2564997726a61b3c10d6a7ed878463f680007b13dcd9533aa310b28888967d17d32
SHA51290d60995db3dca664f59a3780e7b141bc66fee80034d0372e2e8e90baf6acbc6ed8ca6da25e8d937a24b4aec057c260762fd351e4dd73f1a7aa179a4d87298ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5dd47f48be4a39dfb6e6e01abcfa96191
SHA166f5dd8bcb74285b8472944185de12b9dcb4bb9f
SHA256383748e1e1271781636ddfb83bbdc5685fba0c0aafae3c251c931e9a3b1d4a91
SHA512348df3f5bc011dfac92bf05c91ed82cf8a39875c710f498ab38f5231eeeb7894214c49ea229348bbfcf53f5499ef04eea50fdb001f0601d4c5efe1e6497ffc30
-
Filesize
32B
MD553898e643bd3e0ca22a462325ad62da4
SHA1e0f08a75fa5219f39e49c1b9f361119905da7d02
SHA256b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff
SHA512aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca