Analysis
-
max time kernel
90s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Fraiche.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Fraiche.ps1
Resource
win10v2004-20241007-en
General
-
Target
5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe
-
Size
1.1MB
-
MD5
6d3f0aac19f5bae4c91bb3371b867852
-
SHA1
d63b777dd2fd2a1663bafb85948fa56477935796
-
SHA256
5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c
-
SHA512
46f717d0a28a490e2631620f8be91d8b603d872c5db6fe59e062d3dd10fb7c4e5351f73ff65dd451acb790fe3a49a4494c7bd49e5e2ba1b87cb4ba71df7fa530
-
SSDEEP
24576:QS8Rx57ZVv0of1RkVZzoOQxdVo18vBtpPibYy:uzZnv0of1RkgOQxdGctwr
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2124 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\afstresningernes.lnk 5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2124 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2124 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2124 2296 5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe 30 PID 2296 wrote to memory of 2124 2296 5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe 30 PID 2296 wrote to memory of 2124 2296 5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe 30 PID 2296 wrote to memory of 2124 2296 5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe"C:\Users\Admin\AppData\Local\Temp\5d03acf2ac90c88be47bd3ae811fcc7ebfb7e8cc0018c3eda2c205b0bb4ba90c.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Haokah=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\groupies\Fraiche.Cui';$Ssterskibets=$Haokah.SubString(53203,3);.$Ssterskibets($Haokah)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-