53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f

General

Target

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
Size

573KB
MD5

b07b3994ad66a39937d9081eb64cd5f5
SHA1

3fffe0fb2721f440909f99c5cb74d1d556ac45bb
SHA256

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f
SHA512

43c7d08528c57467054c69c7d2b007662f618604abb465d92b1118dff290d0cb0bc8b2458ef35ae93fbc4d4b2f5527c298c350fc7743a21eacd548bd5f02d6e5
SSDEEP

6144:KcBvWsKG0/FZuK1JnKr4AlEhZmqUH1o0TLIaGWDwiyPAw9RyJqIZRSNQABuX+rVy:nKFZ1exehZmNHKyrwLpaJlZrf+r0

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

pid process

1568 53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 drive.google.com
5 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

pid process

2104 53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

flow	ioc
3	drive.google.com
5	drive.google.com

pid	process
2104	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

pid	process
1568	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
2104	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

description	pid	process	target process
PID 1568 set thread context of 2104	1568	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

Drops file in Program Files directory 4 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Fertiliseringerne\imperceptibly.ini	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
File opened for modification	C:\Program Files (x86)\reliable\aldersbestemmelse.ini	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
File opened for modification	C:\Program Files (x86)\Common Files\besvimelses.str	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
File opened for modification	C:\Program Files (x86)\Telepatisk.ini	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

Drops file in Windows directory 2 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

description	ioc	process
File opened for modification	C:\Windows\tasselling\sporvognsskinne.Rev	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
File opened for modification	C:\Windows\ingvardts.Sin	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1600 2104 WerFault.exe 53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

pid process

2104 53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

pid process

1568 53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

pid	pid_target	process	target process
1600	2104	WerFault.exe	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

pid	process
2104	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe

description	pid	process	target process
PID 1568 wrote to memory of 2104	1568	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
PID 1568 wrote to memory of 2104	1568	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
PID 1568 wrote to memory of 2104	1568	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
PID 1568 wrote to memory of 2104	1568	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
PID 1568 wrote to memory of 2104	1568	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
PID 1568 wrote to memory of 2104	1568	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
PID 2104 wrote to memory of 1600	2104	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	WerFault.exe
PID 2104 wrote to memory of 1600	2104	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	WerFault.exe
PID 2104 wrote to memory of 1600	2104	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	WerFault.exe
PID 2104 wrote to memory of 1600	2104	53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
"C:\Users\Admin\AppData\Local\Temp\53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe
"C:\Users\Admin\AppData\Local\Temp\53501f12261fc6003fb771379846bfc0bad23e331f0ccde984c431c22901881f.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 68
3⤵
- Program crash
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nst705.tmp\System.dll

Filesize
12KB

MD5
12b140583e3273ee1f65016becea58c4

SHA1
92df24d11797fefd2e1f8d29be9dfd67c56c1ada

SHA256
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042

SHA512
49ffdfa1941361430b6acb3555fd3aa05e4120f28cbdf7ceaa2af5937d0b8cccd84471cf63f06f97cf203b4aa20f226bdad082e9421b8e6b62ab6e1e9fc1e68a

Download Submit
memory/1568-13-0x00000000772B1000-0x00000000773B2000-memory.dmp

Filesize
1.0MB

Download
memory/1568-14-0x00000000772B0000-0x0000000077459000-memory.dmp

Filesize
1.7MB

Download
memory/2104-15-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2104-16-0x00000000772B0000-0x0000000077459000-memory.dmp

Filesize
1.7MB

Download
memory/2104-17-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2104-39-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2104-41-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2104-40-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2104-42-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2104-43-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2104-44-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads