43319fa796c6b542426e4e853a26a12d9a1cd49687878484a5bae88d246600cb

General

Target

jebliksbilledes/Unrelative/Sikkativers/Regredieredes/Fastkurspolitikken.ps1
Size

60KB
MD5

2a4c059165f67c3923409c13eb335f08
SHA1

327454ea9cef3b257a7a154bc75aa1dac1dc77d1
SHA256

f383eb80238916fd6c00c1513464f841fefb622aad04f345f4bc69f8a24aa8b1
SHA512

d1d1898f852d9fb3af766fea3e06ffefad91af0bc4d5652716103f6f2151118b5129d8c9707fcaf14d3e16654f7148163b80ec03a3e2a4bbb036575666392560
SSDEEP

768:bxvCc7TZ/G5kUwtoHQsp55qLP4vozxzNVqsZPiL3B3uy1LnUIz75zx7IwUER81uu:1qJ+ltCWP3NzNVqLj5bDd9NxouDgUSV

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2576 explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe
Token: SeShutdownPrivilege	2576	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

explorer.exe

pid	process
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

explorer.exe

pid	process
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe
2576	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2912 wrote to memory of 2468	2912	powershell.exe	cmd.exe
PID 2912 wrote to memory of 2468	2912	powershell.exe	cmd.exe
PID 2912 wrote to memory of 2468	2912	powershell.exe	cmd.exe
PID 2912 wrote to memory of 2644	2912	powershell.exe	wermgr.exe
PID 2912 wrote to memory of 2644	2912	powershell.exe	wermgr.exe
PID 2912 wrote to memory of 2644	2912	powershell.exe	wermgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\jebliksbilledes\Unrelative\Sikkativers\Regredieredes\Fastkurspolitikken.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
2⤵
PID:2468

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2912" "1088"
2⤵
PID:2644

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259397260.txt
Filesize
1KB

MD5
33f7298c1bca5ade978ddbf044f5c110

SHA1
98a817c7f7c8d6954c7f11879345e5ea5313dfae

SHA256
4866821ef87da96e4392cdd014a78daa10a81c2014c0a6d9c768f428aad3b22d

SHA512
e9b2bb355759b316204a071885536c3102b875268cfd2b8397bd0e14aada17768c47107072323ac3324e0ecd3be75d095d3c1b93dd5d6bd91a367ab946057094

Download Submit
memory/2576-22-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/2912-5-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/2912-8-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2912-7-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2912-6-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2912-10-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2912-4-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2912-13-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2912-15-0x0000000002D40000-0x0000000002D44000-memory.dmp

Filesize
16KB

Download
memory/2912-11-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2912-17-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2912-18-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2912-9-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads