Analysis
-
max time kernel
75s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Dokumentationsniveau/Stockings.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Dokumentationsniveau/Stockings.ps1
Resource
win10v2004-20241007-en
General
-
Target
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe
-
Size
902KB
-
MD5
04ef02931ad93c3c4376434c20f486f0
-
SHA1
652201adcb624d1142aa01d7bde4dfc8977c1ea5
-
SHA256
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072
-
SHA512
027685796daeee8a1bc38d57f5599ba9e62465f3aebddbe104bc3abd3b473f5ea1f9bb23486ac8688809d9fe5a176e9ec6e6a59ac568ef7458af0dbb6fa00a2c
-
SSDEEP
12288:p5e/L/uQGchtN0FxSb7nT3tCMipEPfDurlKRFP7Pytafm6wY8yujWX6zZmvj1Gp:ebu6bN0FUb7FiWfD6lm7Pytae6/B1Gp
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 2836 powershell.exe 1404 powershell.exe -
Drops file in Windows directory 4 IoCs
Processes:
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exedescription ioc Process File opened for modification C:\Windows\resources\Nebengeschfter.ini 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe File opened for modification C:\Windows\resources\0409\gildes.lak 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe File opened for modification C:\Windows\Fonts\thyrididae.ini 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe File opened for modification C:\Windows\resources\0409\diaspidine.Inq 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exe7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid Process 2836 powershell.exe 1404 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exedescription pid Process procid_target PID 2092 wrote to memory of 2836 2092 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 30 PID 2092 wrote to memory of 2836 2092 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 30 PID 2092 wrote to memory of 2836 2092 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 30 PID 2092 wrote to memory of 2836 2092 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 30 PID 2092 wrote to memory of 1404 2092 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 32 PID 2092 wrote to memory of 1404 2092 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 32 PID 2092 wrote to memory of 1404 2092 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 32 PID 2092 wrote to memory of 1404 2092 7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe"C:\Users\Admin\AppData\Local\Temp\7588c8b1634597293f6caed069525f90e356576ac0b83b3cb6004c31929f7072N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Momentaneously=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Dokumentationsniveau\Stockings.Cys';$Nontolerance95=$Momentaneously.SubString(3409,3);.$Nontolerance95($Momentaneously)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Momentaneously=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Dokumentationsniveau\Stockings.Cys';$Nontolerance95=$Momentaneously.SubString(3409,3);.$Nontolerance95($Momentaneously)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
803B
MD547027ef7e3a1709e131ffb08a50b6be2
SHA11516a214287a748dd3e02d73d8373a0baeddf352
SHA2564997726a61b3c10d6a7ed878463f680007b13dcd9533aa310b28888967d17d32
SHA51290d60995db3dca664f59a3780e7b141bc66fee80034d0372e2e8e90baf6acbc6ed8ca6da25e8d937a24b4aec057c260762fd351e4dd73f1a7aa179a4d87298ff
-
Filesize
845B
MD533c43c48a267f35e2f7a7710fe21288b
SHA1b2722c28b7a10f3e16e156fb141c3c8bcee50969
SHA256489000c4675e9c9c3e93f5814482ac6de764645e2e1311bd2b7bf2aeda1e7eb6
SHA51265de01dbc8ae08c2a14cddfb93ad3ffcc45552cf25498f5eb5821f557aced18202580f74609e72a075a3fbd141f2bfbf00f1805e07d8e70bbd3b0c53a8654987
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5663c8dc7fe5a58579b74b00b44d11212
SHA14f1a265dc9a6529918d31b76bd112d0026a2ac8d
SHA25652f1d980c85033a2ca9a3bbd4c5d04df9a05cabddecb9c55ad8e0467395cf5be
SHA5123751420fc5b6e0b6f10c59ddb6180e1693f269432dee2a704bd448c234c9bd02eaf7307140565f4f935f6545aaf2751483d9f0d1b3cb6517537707d33a3a8d4d
-
Filesize
32B
MD553898e643bd3e0ca22a462325ad62da4
SHA1e0f08a75fa5219f39e49c1b9f361119905da7d02
SHA256b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff
SHA512aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca