Analysis
-
max time kernel
140s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 11:31
Static task
static1
Behavioral task
behavioral1
Sample
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win10v2004-20240226-en
General
-
Target
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe
-
Size
520KB
-
MD5
ef53493176b714d7c8c972a756cfd806
-
SHA1
c7c08850f9dd1706a2a2a5b456f5de2b25eb200c
-
SHA256
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea
-
SHA512
eab8465a629001a43631724aaa9293c229286bebb33c943ce197ce5f17419b9b91c6f9be86c4dec68d4b099871abf3fa05807e99876ffa0ee3497f3a5abac2fa
-
SSDEEP
12288:fnPdhsFldr2BFS3Cr3HUNdAfZBAfYKBuyhleDJB:vPdhoeBYSrHU7K9KBuRJB
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation 1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4320 1100 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepid process 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1100 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exepowershell.exedescription pid process target process PID 5072 wrote to memory of 1100 5072 1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe powershell.exe PID 5072 wrote to memory of 1100 5072 1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe powershell.exe PID 5072 wrote to memory of 1100 5072 1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe powershell.exe PID 1100 wrote to memory of 3028 1100 powershell.exe cmd.exe PID 1100 wrote to memory of 3028 1100 powershell.exe cmd.exe PID 1100 wrote to memory of 3028 1100 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe"C:\Users\Admin\AppData\Local\Temp\1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden ; $limpiness=Get-Content 'C:\Users\Admin\AppData\Roaming\Usitative\healthless\hovedanpartshaver\ravnemorens\Frsteinstanserne\Instantiations.Lil';$Sears=$limpiness.SubString(55857,3);.$Sears($limpiness)2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:3028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 21203⤵
- Program crash
PID:4320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1100 -ip 11001⤵PID:400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Usitative\healthless\hovedanpartshaver\ravnemorens\Frsteinstanserne\Instantiations.Lil
Filesize54KB
MD563d0c546b30964e943c2ac8fd5e236db
SHA17d46713cb1d3cbfe25efcaf24369fb067d310920
SHA256eb26aa5b4ec7a1c0c0ad2be344c02a23f770815a40e84e5b1b5fe24c9b64edda
SHA51291399fec920e3be9526e1af39a632512c6c00cea3566a9ce43fdbadf813c5b2b830620bfc381747b195a4e2c52b8ef4d81295b484ea6ed925979a97b8cf6a1ed
-
Filesize
1KB
MD5c8db74d6394f34f4a368d50cf2b60963
SHA1849b7f8ed976e3b1ebe63aaf87e4fbd65ff0070e
SHA2568ce4d1ff40f4bca71d03999544b3d5e70b78c47345e2d4319c12478376a234ed
SHA5123f03b18659a3ba08e310f5b8da8fc14e6c08228e545ebc8f8427c39088eb3058897a5428a7cd33db801cfc437e55b5687c735386b3c6b774975e2af608a83109