48e100a1816e2c4696df7459f543114ad48ce8f5280169b1318d568ffe390b04

General

Target

rigsombudsmndenes/Vildspors/Tjenestefries/Abrased.ps1
Size

43KB
MD5

bdc6750fa9e7f3f0e0967e682d730c3f
SHA1

592f466b066cd59938eef2c53b9e41942d7cacce
SHA256

3bf087d329e163f4300a66e02e102e45f58d39a13acf1a116ecb946233d69aa6
SHA512

529621f4d8213bf2bcf9199c9b4add2c3c77461c8e1b75bc37aa1512590eb58af681f741489d023493fbb2043ba6ca4d00d6b9bab18d9e59ef3e1c8ea6ffc7eb
SSDEEP

768:nXMWOJ+6hgfLifOQ7BFUMVqF+vNTg5aXSohz/5OcLxjqvtiXl/B7YRDY1KrvY3oV:n8zM6gSbLqFENTdioh9OcL1+i1UbQ4uO

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe
Token: SeShutdownPrivilege	2676	explorer.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2808	1736	powershell.exe	32
PID 1736 wrote to memory of 2808	1736	powershell.exe	32
PID 1736 wrote to memory of 2808	1736	powershell.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rigsombudsmndenes\Vildspors\Tjenestefries\Abrased.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "1736" "1076"
  2⤵
  PID:2808

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259418770.txt

Filesize
1KB

MD5
bd4486a32e418685a7003700f82279cf

SHA1
5d620751fa22a8109c8324dd1e64ce0c9fbdaa24

SHA256
261a5a9bb80412c51f8cfee80a9a4f9110bc7e717ffa9a37a1f44323e4cecb95

SHA512
0d54f334eaa73a6e936e555507f4c3776a4ceb50092f91302a2d7a545d077b61bc6a7e90da076fbf3084e7360f9fe14f20706f79fa28218ac47b5f67471b1785

Download Submit
memory/1736-13-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1736-17-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-8-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1736-9-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1736-4-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/1736-10-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-7-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/1736-14-0x000000001B630000-0x000000001B634000-memory.dmp

Filesize
16KB

Download
memory/1736-11-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1736-6-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1736-5-0x000007FEF6320000-0x000007FEF6CBD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-18-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2676-19-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/2676-20-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/2676-24-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads