Overview

overview

8

Static

static

3

949058f852...12.exe

windows7-x64

7

949058f852...12.exe

windows10-2004-x64

4

Refugium/F...or.ps1

windows7-x64

8

Refugium/F...or.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 01:34

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Refugium/Forurettelsen/Picador.ps1

  • Size

    56KB

  • MD5

    107f2d51a1a9d4e0423e5ac5cef1b21c

  • SHA1

    3b074e4957f9240abdf5f5a61c8a1dda331dc29a

  • SHA256

    2a558e54310f4bb0f99f640b9b49e997c1ba5982e0fe53081ed1fdeee2e6263a

  • SHA512

    b827f8ac5a5e27e9ee448a109227f8fbbcc3f6a627a668d101689246fe0495f94fcec39c719d49895f7831a8f165b823e6d4b22651008476ae5302c79bdc2b6b

  • SSDEEP

    1536:VwO4zf5tAtrOTq3GCllPOa33mx/Hd3t5DxPynVfVt:eO4zf/U3GClgcGLW

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Refugium\Forurettelsen\Picador.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
      2⤵
        PID:2576
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "1756" "1124"
        2⤵
          PID:2456
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2692

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259405648.txt
              Filesize

              1KB

              MD5

              32e77582bba254080af6c12012cd689e

              SHA1

              e46b6764edebc6d18596be409f0d5b8cc7288d5c

              SHA256

              fc6757886b017915f4db95dba914e017c6b5bceadf258b4c75f6a4f5bb5a2e2c

              SHA512

              ea222aef5bfbd47f92a8d6d040f297921451f616ceda477cfb11dbfca873752017f9b6dcc1f7c3f6f3ca8c0cecd06c9390d2aaa5e40ace3c7d5226d84b9283fc

              Download Submit

            • memory/1756-13-0x00000000028C0000-0x0000000002940000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1756-17-0x00000000028C0000-0x0000000002940000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1756-7-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1756-8-0x00000000028C0000-0x0000000002940000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1756-10-0x00000000028C0000-0x0000000002940000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1756-9-0x00000000028C0000-0x0000000002940000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1756-4-0x000000001B740000-0x000000001BA22000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/1756-14-0x0000000002BB0000-0x0000000002BB4000-memory.dmp

              Filesize

              16KB

              Download

            • memory/1756-12-0x00000000028C0000-0x0000000002940000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1756-6-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1756-5-0x00000000021D0000-0x00000000021D8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1756-18-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2692-19-0x00000000043A0000-0x00000000043A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2692-20-0x00000000043A0000-0x00000000043A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2692-24-0x0000000002A50000-0x0000000002A60000-memory.dmp

              Filesize

              64KB

              Download