857cabdf843986bade93bb6882b28bd696727e57333880dabd1666745ae27305

General

Target

Grnskollingernes237/pladsholderknudes.ps1
Size

58KB
MD5

b727db78e2c5f3b1559e11ceef7af2fb
SHA1

622ee25305320a7c6c2f7e6b201d9c1204d00053
SHA256

07a3c1a8c29ae7eb5b17b815e3c470068313f9911bf890f58f68f43cb42f2d54
SHA512

19116eb53099a09bc314577f4954870ead121ee2c7818d0653973d30597abc7c9b698407583893b7171b40861aa279e5c619fbd640db9075ad4aa91fb2e62f36
SSDEEP

1536:5jGkMxf3C7xchyXU14f+sC+9ez04sV0TJZJ2wh9kvTEw:VA3NYR8Y4S0T/1Cgw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2820 explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe
Token: SeShutdownPrivilege	2820	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

explorer.exe

pid	process
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe
2820	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1628 wrote to memory of 2572	1628	powershell.exe	cmd.exe
PID 1628 wrote to memory of 2572	1628	powershell.exe	cmd.exe
PID 1628 wrote to memory of 2572	1628	powershell.exe	cmd.exe
PID 1628 wrote to memory of 2444	1628	powershell.exe	wermgr.exe
PID 1628 wrote to memory of 2444	1628	powershell.exe	wermgr.exe
PID 1628 wrote to memory of 2444	1628	powershell.exe	wermgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Grnskollingernes237\pladsholderknudes.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
  2⤵
  PID:2572
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "1628" "1128"
  2⤵
  PID:2444

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259405702.txt

Filesize
1KB

MD5
8e5f5630fe2a3bb369a813abfbd9038f

SHA1
6024a7ca3058b28267bba7d6075de720cb511f08

SHA256
52f38072d0e22fe56e2de6c8a4a964f034a5741bf5eae7a41b08101b707ade8d

SHA512
aecd5f1a98fe8e78060c34e0342bf433b0096e48f5d3f4b832ecd701a10bf20dd8cb72e9868902370d49b4dc14c771677a1045573733aa60250f263871206d2b

Download Submit
memory/1628-13-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1628-4-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1628-7-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1628-6-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/1628-9-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1628-10-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1628-8-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-5-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

Filesize
9.6MB

Download
memory/1628-11-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1628-15-0x0000000002C40000-0x0000000002C44000-memory.dmp

Filesize
16KB

Download
memory/1628-17-0x0000000002B60000-0x0000000002BE0000-memory.dmp

Filesize
512KB

Download
memory/1628-18-0x000007FEF5AA0000-0x000007FEF643D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-19-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/2820-20-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/2820-24-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads