8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047

General

Target

8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047.exe
Size

649KB
MD5

e6766a6f6aa24df00329fd135baee026
SHA1

9ebc9a61310473c70140a38be14cbe0debac1354
SHA256

8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047
SHA512

d458043be4e624d2d268d222ae4422e3137f85cff98745862b1b6c820e37138fcacdfc22f1fe3a3c6841d79390dc07e7a6fc8a062014cbca6df11f06a6514813
SSDEEP

12288:Eky/iqUIzivShD4AxYafSPiuGPQlXZyFaT6Rqot+xpEEUy96WPq6Ow6yv7C:8/iqUYivShDdYafuPXE2otKjVNPHqAC

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1008	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
4	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1008	powershell.exe
2776	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1008 set thread context of 2776	1008	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1008	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1008	1660	8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047.exe	28
PID 1660 wrote to memory of 1008	1660	8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047.exe	28
PID 1660 wrote to memory of 1008	1660	8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047.exe	28
PID 1660 wrote to memory of 1008	1660	8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047.exe	28
PID 1008 wrote to memory of 3032	1008	powershell.exe	30
PID 1008 wrote to memory of 3032	1008	powershell.exe	30
PID 1008 wrote to memory of 3032	1008	powershell.exe	30
PID 1008 wrote to memory of 3032	1008	powershell.exe	30
PID 1008 wrote to memory of 2776	1008	powershell.exe	32
PID 1008 wrote to memory of 2776	1008	powershell.exe	32
PID 1008 wrote to memory of 2776	1008	powershell.exe	32
PID 1008 wrote to memory of 2776	1008	powershell.exe	32
PID 1008 wrote to memory of 2776	1008	powershell.exe	32
PID 1008 wrote to memory of 2776	1008	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047.exe
"C:\Users\Admin\AppData\Local\Temp\8a861dc6c86df23a36ef912e89ce3d5ae4e8b8178df3d74b4a58d9f9706d5047.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Driftskapitals=Get-Content 'C:\Users\Admin\AppData\Local\Brugeruddannelsers219\uraniscochasma\Hingstplag\Derogatory\Obstinative\Stinkdyrene\Usikkerhedsmomenterne.Sup';$Klydernes=$Driftskapitals.SubString(15921,3);.$Klydernes($Driftskapitals)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
    3⤵
    PID:3032
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Brugeruddannelsers219\uraniscochasma\Hingstplag\Derogatory\Obstinative\Stinkdyrene\Cisternernes.Iri

Filesize
318KB

MD5
2eab73ee0b01fe66c73055c1c2fa4ade

SHA1
0f0e29a9db7f15372d4f0962fe3327449687103b

SHA256
e8247d54cef465f896ad1430a812b7872c7cbcbccdddc95c3ab03027b5642a6c

SHA512
afc3619d72b14320d45a9249a317ff5980036d6133615dc7158ba8583668a34ab2aef3edf31f866aef6cc22cd4acf1b54d0e1736acd3fea0676cbceb2b7846d4

Download Submit
C:\Users\Admin\AppData\Local\Brugeruddannelsers219\uraniscochasma\Hingstplag\Derogatory\Obstinative\Stinkdyrene\Usikkerhedsmomenterne.Sup

Filesize
58KB

MD5
f75f469413f7ee4a1aa5684598b21dc2

SHA1
9ced6780f56759a64019fb90f02323382b7d37b8

SHA256
995bc94d2131edcae86c7d3f939a54a0f75f48eceee27633a43a502f4c3d4c21

SHA512
19a0745c7ce6a2294fcf9de80996dc7e2898401f69f88d7f1373d718655bcfbb0fec04585dddce0971d5a3acf339ed9e64a3d9783d221dbaec5ac3347b42b568

Download Submit
memory/1008-13-0x0000000006720000-0x000000000AF4B000-memory.dmp

Filesize
72.2MB

Download
memory/2776-35-0x0000000000520000-0x0000000001582000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing