Overview

overview

8

Static

static

1

a11afeaa9b...39.exe

windows7-x64

8

a11afeaa9b...39.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    92s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 07:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a11afeaa9b2aaa0dcb386223ebae75f9cee5e6ee0dc3c1c29fcf9ba44f496c39.exe

  • Size

    816KB

  • MD5

    adaf13e72e6520b5a931a674f0f23e60

  • SHA1

    7e37eb41761675b7b6d643f83fb14c5d25212044

  • SHA256

    a11afeaa9b2aaa0dcb386223ebae75f9cee5e6ee0dc3c1c29fcf9ba44f496c39

  • SHA512

    a558866436cc8635633447c0290319e003dca2466ae2b81bbeaa7edfe1feda3d6a658d3a0a05eda10345965cc43219b2e2a1e2239eb3239f12909d8dc6033334

  • SSDEEP

    12288:G7MoUURtRl071HsUCcQ7AYGyCR5EvlP9Ia8GIbPYkAdwvLRPC6Oe73MFc:mL5tXwMUxQ7A7REIacPYkAevLRPJy

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Blocklisted process makes network request 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a11afeaa9b2aaa0dcb386223ebae75f9cee5e6ee0dc3c1c29fcf9ba44f496c39.exe
    "C:\Users\Admin\AppData\Local\Temp\a11afeaa9b2aaa0dcb386223ebae75f9cee5e6ee0dc3c1c29fcf9ba44f496c39.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Protoleucocyte=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\skittaget\lektier\Jories.Non';$Knaldgode=$Protoleucocyte.SubString(9598,3);.$Knaldgode($Protoleucocyte) "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:1292
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1852
          4⤵
          • Program crash
          PID:2344
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1292 -ip 1292
    1⤵
      PID:392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywwpiv0g.tpm.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\skittaget\lektier\Fllesskoler.Tra157
      Filesize

      335KB

      MD5

      914568a6e2ad309288f9c18cdff44183

      SHA1

      12559e20ab5cb7b4558399cec356009568fe4d6a

      SHA256

      d0cebb69ca4feb808af76eaccd497a78cb7567f37c849f948488e912f8d14f85

      SHA512

      a991106537ec545184284a814a93ce8a804b16ac8d5ca270887977883a7946519f23bf41f793b48605490320c25fe46000ecba5db899d416fee03a238d7c5900

      Download Submit

    • C:\Users\Admin\AppData\Roaming\skittaget\lektier\Jories.Non
      Filesize

      71KB

      MD5

      bb77ce2f024b86b7eaafc1575d287958

      SHA1

      f3c906d61e6c7c55abc262746e1135c599a00822

      SHA256

      41dd16c572f42f1aa912c7075fa065a8af108b18c326e9f2d452fee9b253037c

      SHA512

      5a07a915c602cb876d8b5d3928e62503cb0cc813f38a3bd10090a9eb95e0195872299960b5d6c8976a360636c169bf560b7b7ab16bbb6ce14b7385787cd41736

      Download Submit

    • memory/1292-82-0x0000000000C00000-0x0000000001E54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1292-81-0x0000000000C00000-0x0000000001E54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3496-48-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-49-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-23-0x00000000055D0000-0x0000000005636000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3496-24-0x00000000057B0000-0x0000000005816000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3496-25-0x0000000005820000-0x0000000005B74000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3496-26-0x0000000005C70000-0x0000000005C8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3496-27-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3496-28-0x0000000006C50000-0x0000000006CE6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3496-29-0x0000000006180000-0x000000000619A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3496-30-0x00000000061D0000-0x00000000061F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3496-31-0x00000000072E0000-0x0000000007884000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3496-12-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-33-0x0000000007F10000-0x000000000858A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3496-34-0x00000000070D0000-0x0000000007102000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3496-35-0x0000000070450000-0x000000007049C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3496-38-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-36-0x00000000705D0000-0x0000000070924000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3496-8-0x000000007463E000-0x000000007463F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3496-47-0x0000000007110000-0x000000000712E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3496-13-0x0000000005500000-0x0000000005522000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3496-50-0x0000000007140000-0x00000000071E3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3496-51-0x0000000007240000-0x000000000724A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3496-52-0x0000000007280000-0x00000000072AA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3496-53-0x00000000072B0000-0x00000000072D4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3496-55-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-54-0x000000007463E000-0x000000007463F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3496-56-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-57-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-58-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-11-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-60-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-61-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-63-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-62-0x0000000008590000-0x000000000CB2E000-memory.dmp

      Filesize

      69.6MB

      Download

    • memory/3496-64-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-66-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-67-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-68-0x0000000074630000-0x0000000074DE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3496-10-0x0000000004ED0000-0x00000000054F8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3496-9-0x0000000002690000-0x00000000026C6000-memory.dmp

      Filesize

      216KB

      Download