Overview

overview

10

Static

static

3

rCommercia...df.exe

windows7-x64

5

rCommercia...df.exe

windows10-2004-x64

10

Tablespoon...al.ps1

windows7-x64

3

Tablespoon...al.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rCommercialoffer_Technicaloffer_pdf.exe

  • Size

    642KB

  • MD5

    4806339fc2f24f3bab7fb6620826d603

  • SHA1

    edc14208fcbd256801a2062dde49a52dd4f2890d

  • SHA256

    5e0c5d2342ce0c3460d6c853a64efc16a89b9fe93372334d78163dfe7efb7e12

  • SHA512

    70f75834b884a5a1309ca4b52b4b8d01ed63bccfd22e9fa9035ae3ac83582e46325de6f91bf39fd391db531117579170391f1a7710e8ccf67833d962b44b2182

  • SSDEEP

    12288:ggu58UO/0Li3SaNlPhq7P9ekopAAT26ZvgVlmee/6BRERMHA+5QpU:gguuv0LPaNbqT9R2vgNeyTERMgm

Score
5/10
discoveryexecution

Malware Config

Signatures

  • Drops file in System32 directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rCommercialoffer_Technicaloffer_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\rCommercialoffer_Technicaloffer_pdf.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle 1 "$Skiftebehandling=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\forurettendes\interventral\Tablespoonsful\Hpital.Svm';$thiosinamine=$Skiftebehandling.SubString(56308,3);.$thiosinamine($Skiftebehandling)
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2516-8-0x0000000074341000-0x0000000074342000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2516-9-0x0000000074340000-0x00000000748EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2516-10-0x0000000074340000-0x00000000748EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2516-11-0x0000000074340000-0x00000000748EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2516-12-0x0000000074340000-0x00000000748EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2516-13-0x0000000074340000-0x00000000748EB000-memory.dmp

    Filesize

    5.7MB

    Download