Analysis
-
max time kernel
132s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 12:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 1Z8A6A658669149902.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
RFQ 1Z8A6A658669149902.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
ravnemorens/Frsteinstanserne/Instantiations.ps1
Resource
win10v2004-20240412-en
General
-
Target
ravnemorens/Frsteinstanserne/Instantiations.ps1
-
Size
54KB
-
MD5
63d0c546b30964e943c2ac8fd5e236db
-
SHA1
7d46713cb1d3cbfe25efcaf24369fb067d310920
-
SHA256
eb26aa5b4ec7a1c0c0ad2be344c02a23f770815a40e84e5b1b5fe24c9b64edda
-
SHA512
91399fec920e3be9526e1af39a632512c6c00cea3566a9ce43fdbadf813c5b2b830620bfc381747b195a4e2c52b8ef4d81295b484ea6ed925979a97b8cf6a1ed
-
SSDEEP
768:stRSpMsDEBbiYzC9AUQg+Fj0VY6fgw8cl+ZzPhkrV439KaEJQkP5HF0GEFGRGI:uRUM0qbiCYYo3gnZzPKrOtKaiT8rE
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2392 powershell.exe 2392 powershell.exe 2392 powershell.exe 2392 powershell.exe 2392 powershell.exe 2392 powershell.exe 2392 powershell.exe 2392 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2464 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2392 powershell.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe Token: SeShutdownPrivilege 2464 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid process 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
explorer.exepid process 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe 2464 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exedescription pid process target process PID 2392 wrote to memory of 3000 2392 powershell.exe cmd.exe PID 2392 wrote to memory of 3000 2392 powershell.exe cmd.exe PID 2392 wrote to memory of 3000 2392 powershell.exe cmd.exe PID 2392 wrote to memory of 2664 2392 powershell.exe wermgr.exe PID 2392 wrote to memory of 2664 2392 powershell.exe wermgr.exe PID 2392 wrote to memory of 2664 2392 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ravnemorens\Frsteinstanserne\Instantiations.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:3000
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2392" "1088"2⤵PID:2664
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD554e0b62cae36238cc9ddb00bef983d01
SHA181d2356f88e3effad72f426e171822d744994b7a
SHA256b1f2ba4f223c386d7f02651436a67d3f4322183925478fd1deacbd8bd7ef837e
SHA51233448710dc2655de68e2b8b68965216f56d0ff93897e8c39c0e1e1ddf05790d9889f83e34738bacb4a2b37a9d22d16728ff854b1325264f9998eae6abceba744
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e