Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 10:26

General

  • Target

    Technonomic.exe

  • Size

    759KB

  • MD5

    c174a412be6f74c3323ae8d6d4737086

  • SHA1

    c703daa5df8c281206a8d85b582b8a1b729748f5

  • SHA256

    bb71b94948e6929047bde8df94c187fbb6f2cc0119a0c386f84b9ea144aabd67

  • SHA512

    9f2b95174fd1283964ea61e6dbe07c450ed0a01aad6b3852c43ef6811a92878f0f123dfbc1f88b2cf05479a94af098591bd579f3c3581521819f3b12d20dfa42

  • SSDEEP

    12288:iDGZKmormA1bzZN13qv776npUyBsIpxBFmgI2uSb+zKikGOfj8UvbjSM+LLWwvpf:gmor/1/Z877oS8sEx/PI//zKNzpbNQLt

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Technonomic.exe
    "C:\Users\Admin\AppData\Local\Temp\Technonomic.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\Admin\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\unthick.ini

    Filesize

    33B

    MD5

    e23f52386361095bdb7040b09e2216ae

    SHA1

    91f31dd82ab80140db621b6dce0b9b5d6b568723

    SHA256

    36467321184a76e0fea592d2896856a37ec18fc8480de66f05d719d93b39d070

    SHA512

    19d18de54b3466f0d283271786b3b308c3be07f21174c46563c4c16292716c52f2c1b85f416ed77143ea6847bfc4c4c37f22296948eac47499276b181f129b9c

  • \Users\Admin\AppData\Local\Temp\nsj8A19.tmp\nsExec.dll

    Filesize

    6KB

    MD5

    1b0e41f60564cccccd71347d01a7c397

    SHA1

    b1bddd97765e9c249ba239e9c95ab32368098e02

    SHA256

    13ebc725f3f236e1914fe5288ad6413798ad99bef38bfe9c8c898181238e8a10

    SHA512

    b6d7925cdff358992b2682cf1485227204ce3868c981c47778dd6da32057a595caa933d8242c8d7090b0c54110d45fa8f935a1b4eec1e318d89cc0e44b115785

  • memory/1816-161-0x0000000073AF1000-0x0000000073AF2000-memory.dmp

    Filesize

    4KB

  • memory/1816-162-0x0000000073AF0000-0x000000007409B000-memory.dmp

    Filesize

    5.7MB

  • memory/1816-163-0x0000000073AF0000-0x000000007409B000-memory.dmp

    Filesize

    5.7MB

  • memory/1816-164-0x0000000073AF0000-0x000000007409B000-memory.dmp

    Filesize

    5.7MB

  • memory/1816-165-0x0000000073AF0000-0x000000007409B000-memory.dmp

    Filesize

    5.7MB