5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe
Size

1000KB
MD5

d91a875cc245f3f2ba13a97c427d5880
SHA1

39129185ab93c2ba972797c76434a59f950f4428
SHA256

5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1
SHA512

2a5dc3ee1c4c77248e50661c81df007b3c08c95a9648a37cf1abe53a4dd64a10d90d0a9cf50222d65773718f9e0255426ad8bab2da8c8c76b6a3e7bdbbb7e43c
SSDEEP

24576:2NluSo4pxUzQcRhTfu4VI6vxoX9FRd/1zVg/X7VwP+jwqjXInHXUF/GmEZet2gk8:2NluSo4pxUzQcRhTfu4VI6vxoX9FRdNY

Score

5^/10

discovery execution

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mycetophilidae\Megalethoscope.ini	5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\opstalt.ini	5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\tekkkenerne.laa	5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1408	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1408	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1408	2644	5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe	30
PID 2644 wrote to memory of 1408	2644	5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe	30
PID 2644 wrote to memory of 1408	2644	5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe	30
PID 2644 wrote to memory of 1408	2644	5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe	30

C:\Users\Admin\AppData\Local\Temp\5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe
"C:\Users\Admin\AppData\Local\Temp\5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle 1 "$Sammis=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\gangrenescent\stiltedness\Tegnmaessig.Peb';$edaphodont=$Sammis.SubString(57021,3);.$edaphodont($Sammis)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\opstalt.ini

Filesize
31B

MD5
81d8c2c8ad8f0fc0a7a2ab1adaab83dd

SHA1
9d039931626cf960391c728870c78477f3a05436

SHA256
bd9d5e85a1c13119bad506a2523c665d363465506e17aab92407d43eceb5d509

SHA512
cfef482bdd7b5a253ce68f61d5d69cb4fb96b8b8e5ff18355998aa8c9cda34f32431938a5bed76762ddc2b66413107976cd89ed82edfb40a06af2a9769d75f09

Download Submit
memory/1408-129-0x0000000073841000-0x0000000073842000-memory.dmp

Filesize
4KB

Download
memory/1408-130-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1408-131-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1408-133-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1408-132-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1408-134-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download