65977464bdb8e893c4ca76c1cc7a2a410aaf4533ca345a009f37246a0711875b

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
14/02/2025, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

justificante de transferencia.exe
Size

837KB
MD5

f45658b16b50dcd644ec29a2fc716b3a
SHA1

b8c94d4c6405e45a5e830480498df8f9c0f5c9f6
SHA256

65977464bdb8e893c4ca76c1cc7a2a410aaf4533ca345a009f37246a0711875b
SHA512

b34ff76bd10bfa1b112e06fbcd4ad082fdaef33d702538a22dcc5d80627fdc41ca9460f19f582bc932fcaac8d97c6cb8de86b9db93787170fabdaf49c8771781
SSDEEP

12288:bkuXIHHuuo7A7A7oguiHU2azco+MCUIOCpRdGc4ZvKea:7XIHHuuo7R7oTiHUbzoGIOCr4cY8

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1988	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	justificante de transferencia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1988	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1988	2220	justificante de transferencia.exe	30
PID 2220 wrote to memory of 1988	2220	justificante de transferencia.exe	30
PID 2220 wrote to memory of 1988	2220	justificante de transferencia.exe	30
PID 2220 wrote to memory of 1988	2220	justificante de transferencia.exe	30

C:\Users\Admin\AppData\Local\Temp\justificante de transferencia.exe
"C:\Users\Admin\AppData\Local\Temp\justificante de transferencia.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Containerskibet=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\figeater\Superslick\rheme\Capricorn46\Smaakager.Nep';$Dyblers=$Containerskibet.SubString(53599,3);.$Dyblers($Containerskibet) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\figeater\Superslick\rheme\Capricorn46\Pericranitis\Greenly196\hulkorttidens.ini

Filesize
17KB

MD5
6764377f0ce6daf4db92f141dd6763b8

SHA1
9c7e9cb265b064822918437343a2d39c5385e123

SHA256
6f1c31e5a578184b7b873968984062e360398d8a2b06be1a3042a20376fe8f6d

SHA512
db6d1272221ee3aa82457fe6e2ad78d3714d758af3d11d29026f37a232abd46caac2be9fc01dbc99c0299bd5852956703e3d52c3384850f68f0137b7b6e0925c

Download Submit
C:\Users\Admin\Desktop\romped.lnk

Filesize
970B

MD5
4fb58ff8cac4de9136f4fabf755e85c0

SHA1
02634f00a2e10ae07768f74f0feff9b6c7e39590

SHA256
31fc16c6512687be1287c4006435b0f18365fc87aa77581a32504949c15d8823

SHA512
1ecd5e8bc4feb3847a75fa5b9364c05552aa858193b1146d70e6abc1c43c1dac3ef78f6d6f69a2ef6d6c99f389933b8977aaaaf3f7ea087ddf03f52d87d29bba

Download Submit
memory/1988-165-0x0000000073B61000-0x0000000073B62000-memory.dmp

Filesize
4KB

Download
memory/1988-166-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-167-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-168-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-169-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-170-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download