Analysis
-
max time kernel
133s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 12:31
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Receipt.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Shipment Receipt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win10v2004-20240226-en
General
-
Target
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
-
Size
57KB
-
MD5
606f3c0d77738574d051cf2f7140aafd
-
SHA1
becf7fe1fe0af569c52c94abadc970cca66ec0a6
-
SHA256
5bb0a1909d79ecf1060382416cd6df278b2be9af709e3b072ca983d62f9b4861
-
SHA512
8bcd585c03b3e8a145a17da6c00e3423d6f0e00f8ca3c34959c49867f651371dd993478ef81e098a1cd8c8d9890c7d1c62ae0488f095b39d4f96278664b340e8
-
SSDEEP
768:4wErrM7A/9QKnpZ2H0ZjGtEbT59AILrUuh1tOBt33K2LCgPFKGft1Csv2EzbnQdx:4/nR2UIEn0Mw4fOBJJDgsBbnQdRWLJSB
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2204 powershell.exe 2204 powershell.exe 2204 powershell.exe 2204 powershell.exe 2204 powershell.exe 2204 powershell.exe 2204 powershell.exe 2204 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2672 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2204 powershell.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe Token: SeShutdownPrivilege 2672 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe 2672 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2652 2204 powershell.exe 29 PID 2204 wrote to memory of 2652 2204 powershell.exe 29 PID 2204 wrote to memory of 2652 2204 powershell.exe 29 PID 2204 wrote to memory of 2620 2204 powershell.exe 33 PID 2204 wrote to memory of 2620 2204 powershell.exe 33 PID 2204 wrote to memory of 2620 2204 powershell.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Regretable\Prferencetolden\Alluder152\Brinie29.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2652
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2204" "1140"2⤵PID:2620
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58e976628e5825d43264341f2718e91d4
SHA19e3b0b601698a0427566aa4693c5ec896be0d07b
SHA2561eb47c87e6bb6192bd082b7f2be679676ac30df7417a086e3884843524a0933d
SHA5125997ffd274f3dd2c782de2cfb02c28018823bdb83aea7194c4e5cbbfc3f993dfcdc50e0a5905b624d8ba162ba871acc94be8251a64b166d39a47375db7d75c07