b2aedf1de53ed6e8b341efc26bfa06068a0c1dcfa04af94d998ced18546ad5d4

General

Target

Melitta/Assonantic/evakueringsvelsers/Jakobskamp/Blyantstegninger.ps1
Size

42KB
MD5

a986fd781b75d8deae5059a8eaf9947b
SHA1

00e654981fe37b648a5799c04856830d83345736
SHA256

c2fb393897717d953dfd2ccfd179fccba1dbae00fa6c7a9ca46610b78b9ba085
SHA512

ccc7b6aacc718ab09d871e933227d02299e9c9c119669f15804d988b46d7ba0db45aedf6d1a61f4844ec091d6a6e9ef3e0557b3c50420693453a2df59c4b2545
SSDEEP

768:lq3bgwBoUUAvXmZR+FL6lYPl8ULiLBnQNHBivEWkS+gs19:816QXw+slYPZLilQLkEWkSs19

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe
Token: SeShutdownPrivilege	2800	explorer.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2736	3056	powershell.exe	30
PID 3056 wrote to memory of 2736	3056	powershell.exe	30
PID 3056 wrote to memory of 2736	3056	powershell.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Melitta\Assonantic\evakueringsvelsers\Jakobskamp\Blyantstegninger.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "3056" "880"
  2⤵
  PID:2736

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259399102.txt

Filesize
1KB

MD5
b502aac7dc22ad1b60d37241c4c3a6ea

SHA1
fbd54a75237d224e3ee4510d8902e74a9438d692

SHA256
de5bcb1cea7be20a80b7cd1cc1a0842441d88d013701d18f2a994e72f9fadf63

SHA512
c0cc2c604db9b2134706e61c139624773fafea1c78f730a10c12316bb97f2307a9ce00c4511846148103708d61ca2fb25156c613ecd274c5c4f8e884bcf94e1e

Download Submit
memory/2800-24-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/2800-20-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/2800-19-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/3056-13-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/3056-9-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/3056-10-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/3056-11-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/3056-4-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/3056-8-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-16-0x0000000002B00000-0x0000000002B04000-memory.dmp

Filesize
16KB

Download
memory/3056-17-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/3056-18-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-7-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/3056-6-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-5-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads