b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/02/2025, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421.exe
Size

843KB
MD5

4e523395a445b905402cfcd5728a4a5c
SHA1

f3b7b24df9ab234a6b68ea97ca1566210ba490ef
SHA256

b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421
SHA512

23523171b883c3e1d2208dee1c6f9551311c4b4c95783152a40162254b4fa06060bb8a18b72041ea0ac72866360c72f63b541840b035bbe0fc3d7c79ef1a05bd
SSDEEP

12288:bkuXIHHuuov4KfGW5RASJ4PzcSsgUYvfrAYZvKek:7XIHHuuoVfGW5/e7cSsevfU4C

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1824	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1824	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1824	2384	b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421.exe	28
PID 2384 wrote to memory of 1824	2384	b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421.exe	28
PID 2384 wrote to memory of 1824	2384	b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421.exe	28
PID 2384 wrote to memory of 1824	2384	b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421.exe	28

C:\Users\Admin\AppData\Local\Temp\b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421.exe
"C:\Users\Admin\AppData\Local\Temp\b9b72b305909d1d2311e044b49181ef5411d5247d5674fc9cdccc3b7ed7c0421.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Outyelp=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\figeater\Superslick\rheme\Universitetsstuderende.Tor';$Guldknappet=$Outyelp.SubString(28485,3);.$Guldknappet($Outyelp) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\figeater\Superslick\rheme\hulkorttidens.ini

Filesize
17KB

MD5
6764377f0ce6daf4db92f141dd6763b8

SHA1
9c7e9cb265b064822918437343a2d39c5385e123

SHA256
6f1c31e5a578184b7b873968984062e360398d8a2b06be1a3042a20376fe8f6d

SHA512
db6d1272221ee3aa82457fe6e2ad78d3714d758af3d11d29026f37a232abd46caac2be9fc01dbc99c0299bd5852956703e3d52c3384850f68f0137b7b6e0925c

Download Submit
C:\Users\Admin\Desktop\romped.lnk

Filesize
924B

MD5
1843d83469e9845131822ff547ad2601

SHA1
ebb2181a245cc2f96fab56f3a7d2303807c6add6

SHA256
cf8d67473225517a0713941b748c1c1578e52006679bb877071b70c11ee8a567

SHA512
fb8da1a4c98fc80d01a59a42cff00baae3224462d22f66625112de0709b234d68ed53b138d109b7a5a038290a95256284971b4990b4ec9cf7c836c1ffc6021ad

Download Submit
memory/1824-149-0x0000000073AF1000-0x0000000073AF2000-memory.dmp

Filesize
4KB

Download
memory/1824-150-0x0000000073AF0000-0x000000007409B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-151-0x0000000073AF0000-0x000000007409B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-152-0x0000000073AF0000-0x000000007409B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-153-0x0000000073AF0000-0x000000007409B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-154-0x0000000073AF0000-0x000000007409B000-memory.dmp

Filesize
5.7MB

Download