8b042d13aa74c2c2fa7bcdf345f60f53c69721cd43648515abbe23a5b3853aa0

General

Target

pixel/Amerikanernes/Langobard/Expectorate/Inhaleres.ps1
Size

58KB
MD5

c14475f2dad1110109be23192921aaa1
SHA1

7ca72d139455072cb288ccfec10621d790f56e1b
SHA256

aa8f52c3a68e9d76445e97561f8cb538d55c92cb3f2eca91b22b60ea1fb9fa94
SHA512

eb8946338017dbc5ab392f965ae0d282aeae56c9a7df1b62170672894a7845e9de8ad490cd70dbbb95586d0cdfb6920a413f3b5e424364c99a3d59fe13953ac8
SSDEEP

1536:/Fn3muO3mB6YzCoc6r7WYeHDuD7Ul3vO2FSDi2:d2zWB62CaujHzBvOdDi2

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2792 explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

explorer.exe

pid	process
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

explorer.exe

pid	process
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1796 wrote to memory of 2308	1796	powershell.exe	cmd.exe
PID 1796 wrote to memory of 2308	1796	powershell.exe	cmd.exe
PID 1796 wrote to memory of 2308	1796	powershell.exe	cmd.exe
PID 1796 wrote to memory of 2748	1796	powershell.exe	wermgr.exe
PID 1796 wrote to memory of 2748	1796	powershell.exe	wermgr.exe
PID 1796 wrote to memory of 2748	1796	powershell.exe	wermgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\pixel\Amerikanernes\Langobard\Expectorate\Inhaleres.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
2⤵
PID:2308

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1796" "1124"
2⤵
PID:2748

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2792

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259401329.txt
Filesize
1KB

MD5
3fad325ed4b91490fdb57054d29d71a9

SHA1
3f3e4b2eb3b69bf820d43430edf6be9544e1cba6

SHA256
57f21424afd88fe5f63d5ab658eedbb62cbb7482a8bcb1e93f8b90f16a3c65d2

SHA512
abd1ac96f9c98325f0f29e142d996b922bd9fe2cfe5a2ba80f96606d970bb27c0bfcd47dbe143ead81205dc0d1f1c8bbae27aa8b2953eca0dbcaf4a315569c99

Download Submit
memory/1796-13-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/1796-5-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-7-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/1796-8-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-9-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/1796-10-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/1796-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1796-4-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1796-11-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/1796-16-0x000000001B5A0000-0x000000001B5A4000-memory.dmp

Filesize
16KB

Download
memory/1796-17-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/1796-18-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-19-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2792-20-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2792-24-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads