Analysis
-
max time kernel
133s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 11:32
Static task
static1
Behavioral task
behavioral1
Sample
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1353d2318463be28ebcffe36398b90b873ee21e2bde3d03f929103729c4b95ea.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win10v2004-20240412-en
General
-
Target
ravnemorens/Frsteinstanserne/Instantiations.ps1
-
Size
54KB
-
MD5
63d0c546b30964e943c2ac8fd5e236db
-
SHA1
7d46713cb1d3cbfe25efcaf24369fb067d310920
-
SHA256
eb26aa5b4ec7a1c0c0ad2be344c02a23f770815a40e84e5b1b5fe24c9b64edda
-
SHA512
91399fec920e3be9526e1af39a632512c6c00cea3566a9ce43fdbadf813c5b2b830620bfc381747b195a4e2c52b8ef4d81295b484ea6ed925979a97b8cf6a1ed
-
SSDEEP
768:stRSpMsDEBbiYzC9AUQg+Fj0VY6fgw8cl+ZzPhkrV439KaEJQkP5HF0GEFGRGI:uRUM0qbiCYYo3gnZzPKrOtKaiT8rE
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1644 powershell.exe 1644 powershell.exe 1644 powershell.exe 1644 powershell.exe 1644 powershell.exe 1644 powershell.exe 1644 powershell.exe 1644 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2704 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1644 powershell.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe Token: SeShutdownPrivilege 2704 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid process 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
explorer.exepid process 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe 2704 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exedescription pid process target process PID 1644 wrote to memory of 2496 1644 powershell.exe cmd.exe PID 1644 wrote to memory of 2496 1644 powershell.exe cmd.exe PID 1644 wrote to memory of 2496 1644 powershell.exe cmd.exe PID 1644 wrote to memory of 2520 1644 powershell.exe wermgr.exe PID 1644 wrote to memory of 2520 1644 powershell.exe wermgr.exe PID 1644 wrote to memory of 2520 1644 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ravnemorens\Frsteinstanserne\Instantiations.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2496
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1644" "1084"2⤵PID:2520
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD566d5620e1e925cc04b8d3628c3e24af9
SHA1e91fdd258d2fd4d9a27604dcc2f69c4d76a65ecb
SHA2565eaa6cf995416132cbacf92f56c7b2a1a02589bb1bef3c172a3fd387bdd8dfa6
SHA512071116b03a99483afbb2d82bf2398f4763ff3ff743a21881ac55428bdbfff48f0ff6f77e7965a640b98b17be9f45ce5e3a681c88b1a05de38ea6b201f7cc09dc