Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 08:55
Static task
static1
Behavioral task
behavioral1
Sample
UMMAN İHRACAT AFR5641 910-1714 1633.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
UMMAN İHRACAT AFR5641 910-1714 1633.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Vitaminerne/Taksonomiske24/Trephining/Piloters/Recepternes.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Vitaminerne/Taksonomiske24/Trephining/Piloters/Recepternes.ps1
Resource
win10v2004-20240412-en
General
-
Target
Vitaminerne/Taksonomiske24/Trephining/Piloters/Recepternes.ps1
-
Size
57KB
-
MD5
24e44ec408c4fb8b429adb0ee5869985
-
SHA1
1913f35995281fec0c9f586fd73d6a2f4e64a5ca
-
SHA256
cf1db414b602f31a34655222809a3542f96a8ffcf0e43dfdbc341192f8298f71
-
SHA512
76b152a80b4f9537c1cd3fb6209021040946c0e7c75fe907f9b95e9f4446b2f12ef54be9721de7b13929df0e1d555db38f470d43f9142b4c1b87e74768819425
-
SSDEEP
1536:sHoiMTmNr5n2YDREJfm7g0ctkXRR7f8zYXJ4l:QoxOHifKciRdf8zYK
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe 2020 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2636 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2020 powershell.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe Token: SeShutdownPrivilege 2636 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2720 2020 powershell.exe 29 PID 2020 wrote to memory of 2720 2020 powershell.exe 29 PID 2020 wrote to memory of 2720 2020 powershell.exe 29 PID 2020 wrote to memory of 1924 2020 powershell.exe 33 PID 2020 wrote to memory of 1924 2020 powershell.exe 33 PID 2020 wrote to memory of 1924 2020 powershell.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Vitaminerne\Taksonomiske24\Trephining\Piloters\Recepternes.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2720
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2020" "1096"2⤵PID:1924
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5285d8b2ad9f2ded6b763d9dcf4534ba0
SHA187e320881f5abc9152b36763aa5f73cad72c0e0c
SHA256222f8c2297b59057cd07d28888c79bcc6f93e2c325db4c77798759d1ea467576
SHA5122519045d2333d5b6d2d0ca89e16c36a5c5ed7596ada1eea9c1461326e3a6024aac6611dcbf94e8545137dd35f8eefe2d51913d1f94eed3cab65826ef48fa10f1