Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 09:21

General

  • Target

    RFQ for WIKA_pdf.exe

  • Size

    643KB

  • MD5

    0292cf3982c9b1a9fab696af01ba5b16

  • SHA1

    cc9d0d3e5b2ab552a627b2c506c7bdc0706e100e

  • SHA256

    f32af695424c19ad7ba48fc23dee2d20cbf4263103e35309199890eeadc017d8

  • SHA512

    1e4364b00ae0f3dde146a4724f175ea47af1ecafd34c57cbf8140d2aaa4e50a40a6b9693d7a8b7163d291c2f6b51fa1a84f1c85e98d700accbc4281631fd917c

  • SSDEEP

    12288:BnMDf3lusde5obg6dhvfUXZ2Kd1xiPueC+LC6D:mDf35YkHDqkPueC+26

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ for WIKA_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ for WIKA_pdf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$enumeration=Get-Content -raw 'C:\Users\Admin\AppData\Local\Sonneteeress42\Nonusurpingly208\Reprsentantselskaberne.Bit';$Noret=$enumeration.SubString(7806,3);.$Noret($enumeration) "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2484-9-0x0000000073681000-0x0000000073682000-memory.dmp

    Filesize

    4KB

  • memory/2484-10-0x0000000073680000-0x0000000073C2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-11-0x0000000073680000-0x0000000073C2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-13-0x0000000073680000-0x0000000073C2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-12-0x0000000073680000-0x0000000073C2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2484-14-0x0000000073680000-0x0000000073C2B000-memory.dmp

    Filesize

    5.7MB