Analysis
-
max time kernel
133s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Borteskamoteringers/Fridtjof.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Borteskamoteringers/Fridtjof.ps1
Resource
win10v2004-20240226-en
General
-
Target
Borteskamoteringers/Fridtjof.ps1
-
Size
58KB
-
MD5
b747bba9cd5ec658f83a8f004b9ddc9b
-
SHA1
eb25e589a4de7af6afd91ccaf9c12f30aaf3c67a
-
SHA256
4fc178d7b0c912917422d5259e796c28f38a765bc3f56fa14df7480b49a0f2f2
-
SHA512
7e115a0e8cc9b16cd7eeafc6aa6635815763384ab543bb92308c197af849a49e9109f775652151617dc094862313109830091f5d203f582a887595b81b875d9e
-
SSDEEP
1536:ft7VcOuMK0tpHzCNB2PPEcs2WlyRRpAbeKbKCU:f7QgJzMB2kcs2qHbeKuCU
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe 2172 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2596 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2172 powershell.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe Token: SeShutdownPrivilege 2596 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe 2596 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2896 2172 powershell.exe 29 PID 2172 wrote to memory of 2896 2172 powershell.exe 29 PID 2172 wrote to memory of 2896 2172 powershell.exe 29 PID 2172 wrote to memory of 2380 2172 powershell.exe 33 PID 2172 wrote to memory of 2380 2172 powershell.exe 33 PID 2172 wrote to memory of 2380 2172 powershell.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Borteskamoteringers\Fridtjof.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2896
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2172" "1140"2⤵PID:2380
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD566cff9c5f9606362bf3434ef9cb971dc
SHA13efc0831052f12945cfed0df06a566be08bc7f46
SHA256121c166466b0eab950cdc89efda1442a0da349b4a1c6458600fc97d83570d34a
SHA512282a1910348d6ea830e58f86eab0c277bd059e9f645d0ba104faa1e2a8b2a387dde34a4344b4e59a3fdd2afd0af32cd9f5012572435d1586fdb44720669c61b8