8987f3cd89bd9f739ef4ee2495ccd81be89cf7d5f52b445c94920cfae3b0fc27

General

Target

Entreprenren.ps1
Size

60KB
MD5

030ce4392c4a8cc1b477bc3deeacb683
SHA1

8f36406d9572e6ccf966fb69c0934c234e0617e6
SHA256

7e9decd5f91e30b000266db010c2ad399bfd06f64ec43f48ca0f3bc36d69ca6c
SHA512

3ec59592857d073ea3f59cd5279fdd4d862ba0a102de7bb3f96db73b64af362c5f017802afe78cb5299a0185f406e4fec097c9986b74d591183ab2aba114e4f4
SSDEEP

1536:cwCVtHft7/anji7OG2BP79MU59/AmW1K7V:cJt7SnjHG2Bj9V3AmW85

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe
Token: SeShutdownPrivilege	2624	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe
2624	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2556	1640	powershell.exe	29
PID 1640 wrote to memory of 2556	1640	powershell.exe	29
PID 1640 wrote to memory of 2556	1640	powershell.exe	29
PID 1640 wrote to memory of 2244	1640	powershell.exe	31
PID 1640 wrote to memory of 2244	1640	powershell.exe	31
PID 1640 wrote to memory of 2244	1640	powershell.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Entreprenren.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
  2⤵
  PID:2556
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "1640" "1088"
  2⤵
  PID:2244

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259398965.txt

Filesize
1KB

MD5
7c9c24f525ed1846fe30526068c4e24a

SHA1
18538a55580dcb143014046174d490f9f7a98760

SHA256
ce05e9d59d481eefca2c4d5a81a3530eed1ede54d2ad0c95589efc73f1d20e0f

SHA512
1358533808acfa3bb2e851f89f133feb8cab2f9e89ec6e376b9fbfe488137f25bcf185bee5975fde81720a9340d610407c14c55ea46a5d773c2308483682f508

Download Submit
memory/1640-13-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1640-17-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1640-7-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1640-8-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1640-9-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1640-10-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1640-6-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1640-15-0x0000000002BE0000-0x0000000002BE4000-memory.dmp

Filesize
16KB

Download
memory/1640-11-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1640-5-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1640-4-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1640-18-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-19-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2624-20-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2624-24-0x0000000003CE0000-0x0000000003CF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads