Analysis
-
max time kernel
133s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Receipt.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Shipment Receipt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win10v2004-20240226-en
General
-
Target
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
-
Size
57KB
-
MD5
606f3c0d77738574d051cf2f7140aafd
-
SHA1
becf7fe1fe0af569c52c94abadc970cca66ec0a6
-
SHA256
5bb0a1909d79ecf1060382416cd6df278b2be9af709e3b072ca983d62f9b4861
-
SHA512
8bcd585c03b3e8a145a17da6c00e3423d6f0e00f8ca3c34959c49867f651371dd993478ef81e098a1cd8c8d9890c7d1c62ae0488f095b39d4f96278664b340e8
-
SSDEEP
768:4wErrM7A/9QKnpZ2H0ZjGtEbT59AILrUuh1tOBt33K2LCgPFKGft1Csv2EzbnQdx:4/nR2UIEn0Mw4fOBJJDgsBbnQdRWLJSB
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe 2212 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2620 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2212 powershell.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe Token: SeShutdownPrivilege 2620 explorer.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe 2620 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2640 2212 powershell.exe 29 PID 2212 wrote to memory of 2640 2212 powershell.exe 29 PID 2212 wrote to memory of 2640 2212 powershell.exe 29 PID 2212 wrote to memory of 2752 2212 powershell.exe 33 PID 2212 wrote to memory of 2752 2212 powershell.exe 33 PID 2212 wrote to memory of 2752 2212 powershell.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Regretable\Prferencetolden\Alluder152\Brinie29.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2640
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2212" "1140"2⤵PID:2752
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e308c7d876f9e1bedfc20cd069741ba2
SHA197d0805eb39ee7faeae45566e32e949861986d2b
SHA2561ba96efd582b17022a9ad0052fc6f153e5240bd03f8df2f008cc467982cdf4ec
SHA512d5db32419a9e7ad61b20da4a8106032bdb82df107af513fa14c2702b409e954cd0463b76b0a5dbcb934a2a67ad57275a3b444f6eee0c7e465de0fe3d5d7e7c11