Overview

overview

10

Static

static

3

43319fa796...cb.exe

windows7-x64

10

43319fa796...cb.exe

windows10-2004-x64

10

jebliksbil...en.ps1

windows7-x64

8

jebliksbil...en.ps1

windows10-2004-x64

Analysis

  • max time kernel
    35s
  • max time network
    46s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 10:49

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    jebliksbilledes/Unrelative/Sikkativers/Regredieredes/Fastkurspolitikken.ps1

  • Size

    60KB

  • MD5

    2a4c059165f67c3923409c13eb335f08

  • SHA1

    327454ea9cef3b257a7a154bc75aa1dac1dc77d1

  • SHA256

    f383eb80238916fd6c00c1513464f841fefb622aad04f345f4bc69f8a24aa8b1

  • SHA512

    d1d1898f852d9fb3af766fea3e06ffefad91af0bc4d5652716103f6f2151118b5129d8c9707fcaf14d3e16654f7148163b80ec03a3e2a4bbb036575666392560

  • SSDEEP

    768:bxvCc7TZ/G5kUwtoHQsp55qLP4vozxzNVqsZPiL3B3uy1LnUIz75zx7IwUER81uu:1qJ+ltCWP3NzNVqLj5bDd9NxouDgUSV

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\jebliksbilledes\Unrelative\Sikkativers\Regredieredes\Fastkurspolitikken.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
      2⤵
        PID:2864
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4752
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies registry class
      PID:2568
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3568
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1564
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4148
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2368
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
        PID:916
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:3160
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:4520
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:4304
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:1776
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                  PID:2924
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                    PID:720

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Initial Access

                  Execution

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  Query Registry

                  3
                  T1012

                  Peripheral Device Discovery

                  2
                  T1120

                  System Information Discovery

                  2
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Resource Development

                  Reconnaissance

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                    Filesize

                    2KB

                    MD5

                    f73ad3d2a9d22b5b2a4b0c8c2c219eee

                    SHA1

                    1a25bc2cf651d987eaf38c19edee435d17ebc991

                    SHA256

                    0e848e0727b4f9a2e8eabf73d14132ab25794831bd7213e50f7b9727112ce6b0

                    SHA512

                    ab76be465af793e48071ad3f6d86f59fdb118cacd250d8e18bb6d91c20f6ea28d6baf3344c6d22bcffb91d36e81fdf42708eeb590274d709fc623a8d70fba111

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fc386f96-b954-4f5b-837f-a7d7ad4b818c}\0.0.filtertrie.intermediate.txt
                    Filesize

                    28KB

                    MD5

                    ab6db363a3fc9e4af2864079fd88032d

                    SHA1

                    aa52099313fd6290cd6e57d37551d63cd96dbe45

                    SHA256

                    373bb433c2908af2e3de58ede2087642814564560d007e61748cdb48d4e9da3f

                    SHA512

                    d3d13d17df96705d0de119ad0f8380bfe6b7bc44c618e2fcd0233061a0ab15beae44d38c48a880121b35f90f56c1529e5f4cf1a19acb9e2cbba5d1c402c749c0

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fc386f96-b954-4f5b-837f-a7d7ad4b818c}\0.1.filtertrie.intermediate.txt
                    Filesize

                    5B

                    MD5

                    34bd1dfb9f72cf4f86e6df6da0a9e49a

                    SHA1

                    5f96d66f33c81c0b10df2128d3860e3cb7e89563

                    SHA256

                    8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

                    SHA512

                    e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fc386f96-b954-4f5b-837f-a7d7ad4b818c}\0.2.filtertrie.intermediate.txt
                    Filesize

                    5B

                    MD5

                    c204e9faaf8565ad333828beff2d786e

                    SHA1

                    7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

                    SHA256

                    d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

                    SHA512

                    e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fc386f96-b954-4f5b-837f-a7d7ad4b818c}\Apps.ft
                    Filesize

                    38KB

                    MD5

                    84ac0c242b77b8fc326db0a5926b089e

                    SHA1

                    cc6b367ae8eb38561de01813b7d542067fb2318f

                    SHA256

                    b1557167a6df424f8b28aabd31d1b7e8a469dd50d2ae4cbbd43afd8f9c62cf92

                    SHA512

                    8f63084bd5a270b7b05e80454d26127b69bcb98ec93d9fad58d77203934f46b677a3aaf20f29e73dcd7035deb61f4c0aa3b10acbc4c0fc210632c1d74f705d2f

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fc386f96-b954-4f5b-837f-a7d7ad4b818c}\Apps.index
                    Filesize

                    1.0MB

                    MD5

                    f4514c93191e0efc0f61036e4ebb341a

                    SHA1

                    c80478e9a734790c18584f67a43518aa4a7dcf58

                    SHA256

                    43da4fa5f62affe399ceaac2d489b7cde610963a48e72d445bebe6f2c63a3600

                    SHA512

                    8aecb3491767e040a52f351908004db2c8f2f083397744585c2832212ec8aa288d3492be941a48b04774e16b43672ab167209776cbdef6692fef684fc54666a6

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133589478054957979.txt
                    Filesize

                    75KB

                    MD5

                    c5ae1d659a98bebb9d7503624dc1f57a

                    SHA1

                    300912839f2329cf841c7f7422d1ed678fcb9e2f

                    SHA256

                    aaff85e3f06e15d259fef6a4db21715a89f51689a1ef2618f51b134677f93529

                    SHA512

                    15144ea7e3d8723fdeb74d3244f231f3cad6d7219436bb08cb005e546f766c46797da5db723f607f101d78bd05bc5bd112c20a5c306e7710bee6cd45746f8b11

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2P3G45R4\microsoft.windows[1].xml
                    Filesize

                    97B

                    MD5

                    afbf8b48f619067e504e7a8cd9052876

                    SHA1

                    9b4f68d3b028bf54c660794692a716090dfdeefc

                    SHA256

                    e89ecb65b458b3c7d2a6c8958e5720b43270c07c390d4bef4fdcb69f64a936c2

                    SHA512

                    34b3acd7c5c9775d5cf0dcb10e2f6d639a2759f1d83ab9fc307cd58908e0d4413a6e99a50d73552fc90acc8041ce22d603a85b09e533ea16e1f13b211dba1ecc

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftchvkq3.nnd.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit
                  • memory/1108-11-0x0000019767CD0000-0x0000019767CE0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/1108-18-0x00007FF999D00000-0x00007FF99A7C1000-memory.dmp
                    Filesize

                    10.8MB

                    Download
                  • memory/1108-17-0x000001976A0A0000-0x000001976A0A4000-memory.dmp
                    Filesize

                    16KB

                    Download
                  • memory/1108-16-0x0000019767CD0000-0x0000019767CE0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/1108-14-0x0000019767CD0000-0x0000019767CE0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/1108-13-0x0000019767CD0000-0x0000019767CE0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/1108-12-0x0000019767CD0000-0x0000019767CE0000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/1108-10-0x00007FF999D00000-0x00007FF99A7C1000-memory.dmp
                    Filesize

                    10.8MB

                    Download
                  • memory/1108-9-0x000001976A020000-0x000001976A042000-memory.dmp
                    Filesize

                    136KB

                    Download
                  • memory/2368-89-0x0000000004060000-0x0000000004061000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/2568-52-0x000001DA62B70000-0x000001DA62B90000-memory.dmp
                    Filesize

                    128KB

                    Download
                  • memory/2568-63-0x000001DA63180000-0x000001DA631A0000-memory.dmp
                    Filesize

                    128KB

                    Download
                  • memory/2568-35-0x000001DA621A0000-0x000001DA622A0000-memory.dmp
                    Filesize

                    1024KB

                    Download
                  • memory/2568-40-0x000001DA62BB0000-0x000001DA62BD0000-memory.dmp
                    Filesize

                    128KB

                    Download
                  • memory/3160-217-0x0000000004810000-0x0000000004811000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/4304-223-0x000001980D2E0000-0x000001980D300000-memory.dmp
                    Filesize

                    128KB

                    Download
                  • memory/4304-218-0x000001980C400000-0x000001980C500000-memory.dmp
                    Filesize

                    1024KB

                    Download
                  • memory/4304-245-0x000001980D8C0000-0x000001980D8E0000-memory.dmp
                    Filesize

                    128KB

                    Download
                  • memory/4304-235-0x000001980D2A0000-0x000001980D2C0000-memory.dmp
                    Filesize

                    128KB

                    Download