Analysis
-
max time kernel
133s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 07:02
Static task
static1
Behavioral task
behavioral1
Sample
DHL TAX INVOICES - MARCH 2024.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DHL TAX INVOICES - MARCH 2024.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral5
Sample
Handelshindringens.ps1
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
Handelshindringens.ps1
Resource
win10v2004-20240226-en
General
-
Target
Handelshindringens.ps1
-
Size
49KB
-
MD5
26ac3d358904de47313a08e6e95b9ef8
-
SHA1
d8cb62fa3f065244d37862489962401a3c829a9a
-
SHA256
a87dc179ea36df155f5d8b7a8a5963ef1de61fa7032db510a8a1f64033182ff2
-
SHA512
efc8932a6e6cb055fd76603cade1ce298c2d19f250d9e3234255f55b2ec28b6c34345f35a017816b35400a4258eb0cca8fdf885a1c8b5f0c08f50731d17bae71
-
SSDEEP
1536:8cdYRGdh2mJBi9i2cMJC/uvyxOd8maeZ1q6KwDN2C:Bbh7J+5CHxOdbn1qr2Nh
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe 2192 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2460 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2192 powershell.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2624 2192 powershell.exe 30 PID 2192 wrote to memory of 2624 2192 powershell.exe 30 PID 2192 wrote to memory of 2624 2192 powershell.exe 30 PID 2192 wrote to memory of 2732 2192 powershell.exe 31 PID 2192 wrote to memory of 2732 2192 powershell.exe 31 PID 2192 wrote to memory of 2732 2192 powershell.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Handelshindringens.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2624
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2192" "1128"2⤵PID:2732
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b60854532e7d431b601b81d321a6e270
SHA1acf18462cf86f6a2cc0c9238b1eb48b0c4b7caea
SHA2560aa4f8121f5fd08d1fb449ecd2b91ea62d2449acb38fc908e2acab48eb843b22
SHA5125ba75c18e8917e3289b60ff0e901abb2d9492982caa9ab38da163f4dfc92a270913bbe4ab8422ee71fe46de3bc23b48725832c5cfba97f6fd5fa05625da8d46b