Analysis
-
max time kernel
133s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/03/2024, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
RefTechnical Drawing Sheet.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RefTechnical Drawing Sheet.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Fdrelandskrligehed/Tenuto/Sauria/Handelsbalancerne122.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Fdrelandskrligehed/Tenuto/Sauria/Handelsbalancerne122.ps1
Resource
win10v2004-20231215-en
General
-
Target
Fdrelandskrligehed/Tenuto/Sauria/Handelsbalancerne122.ps1
-
Size
57KB
-
MD5
0c865acf7c347c6dd359f98c8251a9bc
-
SHA1
dc6ad24450f7a966e5c090abce2ec06f23cef9ae
-
SHA256
00f3155ff5edff6c7b7286095854eae05446345e358018fee4c5fb141a458d7e
-
SHA512
a7ead01800f440b0d4e8f07040818ed72ff1c768cb44ffc1823230b5bee96238b25373a652be4509c88cb371772da1061f5b14b3fa5a7e1e7833dc07d56f1aaa
-
SSDEEP
1536:zSoQQtIqgBuwNgZdhr1l4jOLjMr0q7hB5V6jNpCDWS6BuqVkzW:eoKBuwN+3COLwr0q7f5iNY6XiS
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe 1976 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2472 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1976 powershell.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe Token: SeShutdownPrivilege 2472 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe 2472 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2728 1976 powershell.exe 29 PID 1976 wrote to memory of 2728 1976 powershell.exe 29 PID 1976 wrote to memory of 2728 1976 powershell.exe 29 PID 1976 wrote to memory of 2452 1976 powershell.exe 31 PID 1976 wrote to memory of 2452 1976 powershell.exe 31 PID 1976 wrote to memory of 2452 1976 powershell.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Fdrelandskrligehed\Tenuto\Sauria\Handelsbalancerne122.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2728
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1976" "1124"2⤵PID:2452
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD517dcc32f8e6d7595b254902573c1e8f7
SHA144795c63401d80a04e5eb4f17266f64212f12c00
SHA256e7e13a406f79625d913dadfdda166bb6886a493925354e108ea30c7964378e60
SHA5125b4f947253b0d317feaf42b80d9f093024f53114b1cd28b56a0111c1946fb73a73a568ab5bc7f1ff346f1b329702f47e2e293caef251db114456d6f7649a3bc0