Analysis
-
max time kernel
133s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 11:31
Static task
static1
Behavioral task
behavioral1
Sample
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win10v2004-20240226-en
General
-
Target
ravnemorens/Frsteinstanserne/Instantiations.ps1
-
Size
54KB
-
MD5
63d0c546b30964e943c2ac8fd5e236db
-
SHA1
7d46713cb1d3cbfe25efcaf24369fb067d310920
-
SHA256
eb26aa5b4ec7a1c0c0ad2be344c02a23f770815a40e84e5b1b5fe24c9b64edda
-
SHA512
91399fec920e3be9526e1af39a632512c6c00cea3566a9ce43fdbadf813c5b2b830620bfc381747b195a4e2c52b8ef4d81295b484ea6ed925979a97b8cf6a1ed
-
SSDEEP
768:stRSpMsDEBbiYzC9AUQg+Fj0VY6fgw8cl+ZzPhkrV439KaEJQkP5HF0GEFGRGI:uRUM0qbiCYYo3gnZzPKrOtKaiT8rE
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1724 powershell.exe 1724 powershell.exe 1724 powershell.exe 1724 powershell.exe 1724 powershell.exe 1724 powershell.exe 1724 powershell.exe 1724 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2576 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1724 powershell.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe Token: SeShutdownPrivilege 2576 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid process 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe 2576 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exedescription pid process target process PID 1724 wrote to memory of 1116 1724 powershell.exe cmd.exe PID 1724 wrote to memory of 1116 1724 powershell.exe cmd.exe PID 1724 wrote to memory of 1116 1724 powershell.exe cmd.exe PID 1724 wrote to memory of 2712 1724 powershell.exe wermgr.exe PID 1724 wrote to memory of 2712 1724 powershell.exe wermgr.exe PID 1724 wrote to memory of 2712 1724 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ravnemorens\Frsteinstanserne\Instantiations.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:1116
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1724" "1092"2⤵PID:2712
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f33dab717aae34b5aac77835041e116a
SHA1fd223830d3a594cd8b16ded961d55e80cc4e0c9e
SHA256d0df7cf36ef5e9fa79973f6c8d7022a2de10eb444a6d773c616325917e9e446c
SHA51269f6d1a1704007145673f873600baaab113d392b97bf5812c6a6514e2681a128cfa5211b6a3754f7c631b441c882011946d73d40b879071d970d8f346dd7855e