Analysis

  • max time kernel
    75s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2024 12:23

General

  • Target

    7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe

  • Size

    902KB

  • MD5

    04ef02931ad93c3c4376434c20f486f0

  • SHA1

    652201adcb624d1142aa01d7bde4dfc8977c1ea5

  • SHA256

    7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072

  • SHA512

    027685796daeee8a1bc38d57f5599ba9e62465f3aebddbe104bc3abd3b473f5ea1f9bb23486ac8688809d9fe5a176e9ec6e6a59ac568ef7458af0dbb6fa00a2c

  • SSDEEP

    12288:p5e/L/uQGchtN0FxSb7nT3tCMipEPfDurlKRFP7Pytafm6wY8yujWX6zZmvj1Gp:ebu6bN0FUb7FiWfD6lm7Pytae6/B1Gp

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
    "C:\Users\Admin\AppData\Local\Temp\7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Momentaneously=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Dokumentationsniveau\Stockings.Cys';$Nontolerance95=$Momentaneously.SubString(3409,3);.$Nontolerance95($Momentaneously)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Momentaneously=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Dokumentationsniveau\Stockings.Cys';$Nontolerance95=$Momentaneously.SubString(3409,3);.$Nontolerance95($Momentaneously)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Damascenere.lnk

    Filesize

    803B

    MD5

    47027ef7e3a1709e131ffb08a50b6be2

    SHA1

    1516a214287a748dd3e02d73d8373a0baeddf352

    SHA256

    4997726a61b3c10d6a7ed878463f680007b13dcd9533aa310b28888967d17d32

    SHA512

    90d60995db3dca664f59a3780e7b141bc66fee80034d0372e2e8e90baf6acbc6ed8ca6da25e8d937a24b4aec057c260762fd351e4dd73f1a7aa179a4d87298ff

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Damascenere.lnk

    Filesize

    845B

    MD5

    33c43c48a267f35e2f7a7710fe21288b

    SHA1

    b2722c28b7a10f3e16e156fb141c3c8bcee50969

    SHA256

    489000c4675e9c9c3e93f5814482ac6de764645e2e1311bd2b7bf2aeda1e7eb6

    SHA512

    65de01dbc8ae08c2a14cddfb93ad3ffcc45552cf25498f5eb5821f557aced18202580f74609e72a075a3fbd141f2bfbf00f1805e07d8e70bbd3b0c53a8654987

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    663c8dc7fe5a58579b74b00b44d11212

    SHA1

    4f1a265dc9a6529918d31b76bd112d0026a2ac8d

    SHA256

    52f1d980c85033a2ca9a3bbd4c5d04df9a05cabddecb9c55ad8e0467395cf5be

    SHA512

    3751420fc5b6e0b6f10c59ddb6180e1693f269432dee2a704bd448c234c9bd02eaf7307140565f4f935f6545aaf2751483d9f0d1b3cb6517537707d33a3a8d4d

  • C:\Windows\Resources\Nebengeschfter.ini

    Filesize

    32B

    MD5

    53898e643bd3e0ca22a462325ad62da4

    SHA1

    e0f08a75fa5219f39e49c1b9f361119905da7d02

    SHA256

    b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff

    SHA512

    aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca

  • memory/2836-169-0x0000000073B81000-0x0000000073B82000-memory.dmp

    Filesize

    4KB

  • memory/2836-170-0x0000000073B80000-0x000000007412B000-memory.dmp

    Filesize

    5.7MB

  • memory/2836-171-0x0000000073B80000-0x000000007412B000-memory.dmp

    Filesize

    5.7MB

  • memory/2836-174-0x0000000073B80000-0x000000007412B000-memory.dmp

    Filesize

    5.7MB

  • memory/2836-327-0x0000000073B80000-0x000000007412B000-memory.dmp

    Filesize

    5.7MB