01beeda976d48dc4c029032b0113fed68e00a2736cc03667c065f7bf7440eec2

General

Target

Vitaminerne/Taksonomiske24/Trephining/Piloters/Recepternes.ps1
Size

57KB
MD5

24e44ec408c4fb8b429adb0ee5869985
SHA1

1913f35995281fec0c9f586fd73d6a2f4e64a5ca
SHA256

cf1db414b602f31a34655222809a3542f96a8ffcf0e43dfdbc341192f8298f71
SHA512

76b152a80b4f9537c1cd3fb6209021040946c0e7c75fe907f9b95e9f4446b2f12ef54be9721de7b13929df0e1d555db38f470d43f9142b4c1b87e74768819425
SSDEEP

1536:sHoiMTmNr5n2YDREJfm7g0ctkXRR7f8zYXJ4l:QoxOHifKciRdf8zYK

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2636 explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe
Token: SeShutdownPrivilege	2636	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

explorer.exe

pid	process
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

explorer.exe

pid	process
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2020 wrote to memory of 2720	2020	powershell.exe	cmd.exe
PID 2020 wrote to memory of 2720	2020	powershell.exe	cmd.exe
PID 2020 wrote to memory of 2720	2020	powershell.exe	cmd.exe
PID 2020 wrote to memory of 1924	2020	powershell.exe	wermgr.exe
PID 2020 wrote to memory of 1924	2020	powershell.exe	wermgr.exe
PID 2020 wrote to memory of 1924	2020	powershell.exe	wermgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Vitaminerne\Taksonomiske24\Trephining\Piloters\Recepternes.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
2⤵
PID:2720

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2020" "1096"
2⤵
PID:1924

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259415804.txt
Filesize
1KB

MD5
285d8b2ad9f2ded6b763d9dcf4534ba0

SHA1
87e320881f5abc9152b36763aa5f73cad72c0e0c

SHA256
222f8c2297b59057cd07d28888c79bcc6f93e2c325db4c77798759d1ea467576

SHA512
2519045d2333d5b6d2d0ca89e16c36a5c5ed7596ada1eea9c1461326e3a6024aac6611dcbf94e8545137dd35f8eefe2d51913d1f94eed3cab65826ef48fa10f1

Download Submit
memory/2020-13-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2020-14-0x000000001B660000-0x000000001B664000-memory.dmp

Filesize
16KB

Download
memory/2020-6-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-8-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-9-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2020-10-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2020-7-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2020-4-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/2020-11-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2020-5-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2020-17-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/2020-18-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2636-19-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/2636-20-0x0000000004320000-0x0000000004321000-memory.dmp

Filesize
4KB

Download
memory/2636-24-0x00000000037F0000-0x0000000003800000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads