Analysis

  • max time kernel
    133s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/03/2024, 23:33

General

  • Target

    Fdrelandskrligehed/Tenuto/Sauria/Handelsbalancerne122.ps1

  • Size

    57KB

  • MD5

    0c865acf7c347c6dd359f98c8251a9bc

  • SHA1

    dc6ad24450f7a966e5c090abce2ec06f23cef9ae

  • SHA256

    00f3155ff5edff6c7b7286095854eae05446345e358018fee4c5fb141a458d7e

  • SHA512

    a7ead01800f440b0d4e8f07040818ed72ff1c768cb44ffc1823230b5bee96238b25373a652be4509c88cb371772da1061f5b14b3fa5a7e1e7833dc07d56f1aaa

  • SSDEEP

    1536:zSoQQtIqgBuwNgZdhr1l4jOLjMr0q7hB5V6jNpCDWS6BuqVkzW:eoKBuwN+3COLwr0q7f5iNY6XiS

Score
8/10

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Fdrelandskrligehed\Tenuto\Sauria\Handelsbalancerne122.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:2896
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "1500" "1136"
        2⤵
          PID:1484
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259432697.txt

        Filesize

        1KB

        MD5

        303376ba8a503ebbc758f8f318802244

        SHA1

        537e9bd7b68caa8f2d4fcd52603030006729defb

        SHA256

        03c64c2c0007b316c1ba91bf7c69d0b57f21e5c85a80effdb34b4bdb76662280

        SHA512

        720dd8e11c1576758f05fcee4ad281a6e553999c52e77290a243c26c98c94a0d2a2e622509f9082ce6daa12038ce13f4d4667a9e2dfe3ff0e53bff3c1106123a

      • memory/1500-7-0x0000000002590000-0x0000000002610000-memory.dmp

        Filesize

        512KB

      • memory/1500-13-0x000000001BA60000-0x000000001BA64000-memory.dmp

        Filesize

        16KB

      • memory/1500-4-0x000000001B2A0000-0x000000001B582000-memory.dmp

        Filesize

        2.9MB

      • memory/1500-8-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

        Filesize

        9.6MB

      • memory/1500-9-0x0000000002590000-0x0000000002610000-memory.dmp

        Filesize

        512KB

      • memory/1500-10-0x0000000002590000-0x0000000002610000-memory.dmp

        Filesize

        512KB

      • memory/1500-12-0x0000000002590000-0x0000000002610000-memory.dmp

        Filesize

        512KB

      • memory/1500-6-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

        Filesize

        9.6MB

      • memory/1500-5-0x0000000002450000-0x0000000002458000-memory.dmp

        Filesize

        32KB

      • memory/1500-16-0x0000000002590000-0x0000000002610000-memory.dmp

        Filesize

        512KB

      • memory/1500-17-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

        Filesize

        9.6MB

      • memory/2596-18-0x0000000004230000-0x0000000004231000-memory.dmp

        Filesize

        4KB

      • memory/2596-19-0x0000000004230000-0x0000000004231000-memory.dmp

        Filesize

        4KB

      • memory/2596-23-0x0000000002730000-0x0000000002740000-memory.dmp

        Filesize

        64KB