208a58c11df2608ba40daf453a31ddd82230357077397f3b2f1a7645e881b232

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0702/KWOTASIE.exe
Size

959KB
MD5

ecbec21dcfa39a1131d2a79acdf73f88
SHA1

6b9366674e34118ec2881ab8d0ae5a5f5077a44d
SHA256

ca595e27f24e0fc84bd5627ec36baae36bcc24018e638ed2ec7c7a6b1fe7b653
SHA512

5158aa940a2779ef4fbb4874fbef55135754c33d3370f0c3f807c082dc268a63eab099f03b8b855a65bf41dd3cf683b8284b728719e6935835aa7920a5aa6b9c
SSDEEP

24576:tzBRHciaGiPc8t11WID3jCJO30866tZPIJIRP6n:rRHciaGiL1MU2k3KSAJT

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2704	powershell.exe
2580	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2704 set thread context of 2580	2704	powershell.exe	33

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\scooterens.ind	KWOTASIE.exe
File opened for modification	C:\Windows\resources\Handlingplanernes\propopery.sal	KWOTASIE.exe
File opened for modification	C:\Windows\resources\0409\xanthochroi.ini	KWOTASIE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KWOTASIE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2704	1444	KWOTASIE.exe	30
PID 1444 wrote to memory of 2704	1444	KWOTASIE.exe	30
PID 1444 wrote to memory of 2704	1444	KWOTASIE.exe	30
PID 1444 wrote to memory of 2704	1444	KWOTASIE.exe	30
PID 2704 wrote to memory of 2580	2704	powershell.exe	33
PID 2704 wrote to memory of 2580	2704	powershell.exe	33
PID 2704 wrote to memory of 2580	2704	powershell.exe	33
PID 2704 wrote to memory of 2580	2704	powershell.exe	33
PID 2704 wrote to memory of 2580	2704	powershell.exe	33
PID 2704 wrote to memory of 2580	2704	powershell.exe	33

C:\Users\Admin\AppData\Local\Temp\0702\KWOTASIE.exe
"C:\Users\Admin\AppData\Local\Temp\0702\KWOTASIE.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Smitten=cat 'C:\Users\Admin\AppData\Local\Innoxious\Phantasies.ude';$Nebengeschftens=$Smitten.substring(78762,3);.$Nebengeschftens($Smitten)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Innoxious\Leddelingernes.Gir

Filesize
294KB

MD5
af97a27e9a77a40937410a3f779cddac

SHA1
6a3422be55263976fa91d7a0f998aa74a5280e98

SHA256
5022b68f80e7fe5aab1d8f15eeeadcf111a0000d890e855e73d083b5a872c0e4

SHA512
6a8fd4bf40bd6ee2be51be4db5ed5f7e57dcc1e559ba02fc19deb4374e21b985769003c7fbfcce2b058a7e2f006ce5158e61f238a995d6daea45c3cf81ae287c

Download Submit
C:\Users\Admin\AppData\Local\Innoxious\Phantasies.ude

Filesize
76KB

MD5
31a731aa8d5e8d9c0a5187ff85a83cff

SHA1
bbd52c93350d12b643f854d05f6156444a8fe30d

SHA256
e2e9d9772728bc5c3272c18a0a4031104c88c0b8cf9507834a6881499ba12912

SHA512
9a7e3fe4eaec8d6c47249c0e404cdd5a621b6528b978bc5e68bb3ed4e53ad5b8b6afe4cf9898214247e746603b387fdf4253fd4e300c655b1025f3c616caf4e3

Download Submit
memory/2580-21-0x0000000000260000-0x00000000012C2000-memory.dmp

Filesize
16.4MB

Download
memory/2704-10-0x0000000073BD1000-0x0000000073BD2000-memory.dmp

Filesize
4KB

Download
memory/2704-13-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-14-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-12-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-11-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-16-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-18-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-19-0x00000000066D0000-0x0000000008DE5000-memory.dmp

Filesize
39.1MB

Download
memory/2704-20-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download