Overview

overview

10

Static

static

1

MRP00108 &...87.rar

windows7-x64

1

MRP00108 &...87.rar

windows10-2004-x64

1

MRP00108 &...87.exe

windows7-x64

4

MRP00108 &...87.exe

windows10-2004-x64

10

Filterintegration.ps1

windows7-x64

3

Filterintegration.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2024 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MRP00108 & SDA00687.exe

  • Size

    710KB

  • MD5

    9fc11ee03f60a10e4a2f26edbf8fcdaf

  • SHA1

    7ed74a2e69bd49aadc4716a420dcacea97e220d7

  • SHA256

    30d74b831f98532075daed442b93067c7ce8846d7cbd557f43a13922840b698a

  • SHA512

    ee2d8b55b9b2b2d3e5cf867688236299a5585be3a7516dc8027e9965b2ac7354f1bf84fcf9f998af7ed185f8b36bbfd1b1a0e6d5a41b65a6d4ed06f722382adf

  • SSDEEP

    12288:X6qSGX12mgYtQvCOgMAwhsuiB/IhyrWQIUbMZHBeGoOO+XKCR6i0EYuCn0a:HJX1YBvCHMquiBJaQ/eBeGoOOKKCR655

Score
4/10
discoveryexecution

Malware Config

Signatures

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MRP00108 & SDA00687.exe
    "C:\Users\Admin\AppData\Local\Temp\MRP00108 & SDA00687.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$Uforenelige=gc -Raw 'C:\Users\Admin\AppData\Local\Country216\Filterintegration.Eks';$indefencibly=$Uforenelige.SubString(2896,3);.$indefencibly($Uforenelige)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2544-7-0x00000000736B1000-0x00000000736B2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2544-9-0x00000000736B0000-0x0000000073C5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2544-10-0x00000000736B0000-0x0000000073C5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2544-8-0x00000000736B0000-0x0000000073C5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2544-11-0x00000000736B0000-0x0000000073C5B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2544-12-0x00000000736B0000-0x0000000073C5B000-memory.dmp

    Filesize

    5.7MB

    Download