f33bceff393d14f948ad0a37dea51034f4951c0009060187d9d0ec7da5259ce7

General

Target

a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71.exe
Size

521KB
MD5

0e1262a4ce5ac71ad5b8df93030d61b5
SHA1

efb918ee62ff5cca7bdc10d180c7f7837c8e2b6b
SHA256

a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71
SHA512

a799094bdae022e92f77c002dc03d0da004982aaa973efe35dc6e72e40a5e9549927c7a831331218bb15478f24cc0b7ed9e7d94a0d1f3aba103b49e68bd0064d
SSDEEP

12288:fzA/ggggjrBj93vPbk8tGtP7ocMzAGrP+jp:U/ggggj9jpvY84mAGrPu

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\\Forsorgspdagog\\').Skeletoverstter;%Slettelsers% ($ronnels)"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1988	powershell.exe
2464	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 2464	1988	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3040	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1988	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1988	1844	a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71.exe	28
PID 1844 wrote to memory of 1988	1844	a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71.exe	28
PID 1844 wrote to memory of 1988	1844	a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71.exe	28
PID 1844 wrote to memory of 1988	1844	a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71.exe	28
PID 1988 wrote to memory of 2500	1988	powershell.exe	30
PID 1988 wrote to memory of 2500	1988	powershell.exe	30
PID 1988 wrote to memory of 2500	1988	powershell.exe	30
PID 1988 wrote to memory of 2500	1988	powershell.exe	30
PID 1988 wrote to memory of 2464	1988	powershell.exe	32
PID 1988 wrote to memory of 2464	1988	powershell.exe	32
PID 1988 wrote to memory of 2464	1988	powershell.exe	32
PID 1988 wrote to memory of 2464	1988	powershell.exe	32
PID 1988 wrote to memory of 2464	1988	powershell.exe	32
PID 1988 wrote to memory of 2464	1988	powershell.exe	32
PID 2464 wrote to memory of 1896	2464	wab.exe	33
PID 2464 wrote to memory of 1896	2464	wab.exe	33
PID 2464 wrote to memory of 1896	2464	wab.exe	33
PID 2464 wrote to memory of 1896	2464	wab.exe	33
PID 1896 wrote to memory of 3040	1896	cmd.exe	35
PID 1896 wrote to memory of 3040	1896	cmd.exe	35
PID 1896 wrote to memory of 3040	1896	cmd.exe	35
PID 1896 wrote to memory of 3040	1896	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71.exe
"C:\Users\Admin\AppData\Local\Temp\a90c7b4223bca6a28296894c66845de8fb61e7028b9c45ab8e0ec7d27db0bf71.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Bromslvs=Get-Content 'C:\Users\Admin\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje';$Oxyphosphate=$Bromslvs.SubString(61080,3);.$Oxyphosphate($Bromslvs)"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
    3⤵
    PID:2500
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Slettelsers% -windowstyle minimized $ronnels=(Get-ItemProperty -Path 'HKCU:\Forsorgspdagog\').Skeletoverstter;%Slettelsers% ($ronnels)"
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afb89d7448832985f8fe18d59989d982

SHA1
fca62d8d948837a509c1c4c2f76c749c15ed7ecc

SHA256
802bebf487a5f1e4716ec0381f2eca2fb5908b972f4873c0c1ef16229edca7e6

SHA512
6259d69683f49c34ba951feac6927576291bf0b8c99adf3b7b9c91448ee9d645d46ef2dfc4d6131eb73e5e8f1b093a3e65fac6534587e8775235c4051dec64de

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAAE1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB44.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\skabiose\slgtsarvens\prender\Batteriforsynede\Trolddomsvirksomhederne\Laboredness.Fid

Filesize
330KB

MD5
fba02c5c2e2b17b589d84b7d57d7a736

SHA1
251a31c2e3bcb544ce6431fca1e14f4acef7ff42

SHA256
274533ce689d15c8ee6611feb429118e821e28010fd79fc57f055c0b7e0e7ff6

SHA512
25c4b0532a4113899be97cf62407948867670157470178607626193d34eb7eee54c2db72ca5d1abcb560a4341526de92a958a4d09102b942d0811c74ed67f09e

Download Submit
C:\Users\Admin\AppData\Roaming\skabiose\slgtsarvens\prender\Kursusplans.Fje

Filesize
59KB

MD5
867b6e69eaf64d49c92a00efe2f3484a

SHA1
57e409c3c4ec17f05de4b6900300c6ffb22447c7

SHA256
554a9d36104f6fe2c57ebef379f96adb5205f4652780c0459db40e676f5efa1c

SHA512
3d075d6850562b2f68503e48f9349a50dcf65e69626b85b5312bf0bd6938b3b433cafb3ed4f885b392c4157b6997613ea551729a35028f5be1151ac3feda1856

Download Submit
memory/1988-19-0x0000000077800000-0x00000000778D6000-memory.dmp

Filesize
856KB

Download
memory/1988-14-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/1988-17-0x00000000068E0000-0x000000000C182000-memory.dmp

Filesize
88.6MB

Download
memory/1988-18-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/1988-8-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-21-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/1988-20-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-16-0x0000000002B00000-0x0000000002B04000-memory.dmp

Filesize
16KB

Download
memory/1988-9-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/1988-10-0x0000000073ED0000-0x000000007447B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-11-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2464-22-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/2464-25-0x00000000005E0000-0x0000000001642000-memory.dmp

Filesize
16.4MB

Download
memory/2464-23-0x0000000077836000-0x0000000077837000-memory.dmp

Filesize
4KB

Download
memory/2464-24-0x0000000077800000-0x00000000778D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads