Analysis
-
max time kernel
133s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
Colep Packaging Polska (602447) - invoice 342000749.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Colep Packaging Polska (602447) - invoice 342000749.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Stningsstrukturers.ps1
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
Stningsstrukturers.ps1
Resource
win10v2004-20240426-en
General
-
Target
Stningsstrukturers.ps1
-
Size
58KB
-
MD5
dd200d8c3c09458738a4ee7d421a891b
-
SHA1
5821db55a8a2e95c67411c18893530d9c3cd47c6
-
SHA256
0e5ad13c4627a6fcb258cbcf2e67bde5ac0f66b8e85291ba05dacc5021eeb4df
-
SHA512
a2faef0cb547f0ee91ca5b45893300fc18943d1389f593bf2b58f557d8e85f7346e55be8a592c87e6e32dc98f9d568a05e59cc7d93b9288391c0465b6a68f39d
-
SSDEEP
1536:sWQH2/5I3Msf3ZYyEkBsrTX+SKmiXY81ruyMmWKYgZVYJ:sWi65tOJ7EkW+SCDrZ9Ycs
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2040 powershell.exe 2040 powershell.exe 2040 powershell.exe 2040 powershell.exe 2040 powershell.exe 2040 powershell.exe 2040 powershell.exe 2040 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 868 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2040 powershell.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe Token: SeShutdownPrivilege 868 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid process 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
explorer.exepid process 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe 868 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.exedescription pid process target process PID 2040 wrote to memory of 2084 2040 powershell.exe cmd.exe PID 2040 wrote to memory of 2084 2040 powershell.exe cmd.exe PID 2040 wrote to memory of 2084 2040 powershell.exe cmd.exe PID 2040 wrote to memory of 2660 2040 powershell.exe wermgr.exe PID 2040 wrote to memory of 2660 2040 powershell.exe wermgr.exe PID 2040 wrote to memory of 2660 2040 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Stningsstrukturers.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"2⤵PID:2084
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2040" "1092"2⤵PID:2660
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b92ce0f8191ed1d64849dbb30be2d9bf
SHA1a7c58d83a9cc60f4725a25d3856eb544647c7ad0
SHA256d7515312224805fde8caf08bb341bb644f50c5a2d631af2ac6c5747d184ac7d9
SHA51272403f6b8a266559afe4513149805b815d47d790354389c5c5c9684e3992206c717955a66600de4d6ee676792b6df011fa6d81ea14a57ece1d629b459932cfd5