a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947

General

Target

a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe
Size

787KB
MD5

6c984dd6faad761de792293a9cd30c1e
SHA1

bc17076ca2251c31ae3b0cccc2030de0fa6dcd74
SHA256

a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947
SHA512

05ea3f148d5b172d6dda8ace37f557a53b18deeed983e65b7c927e45c9edc5b9fe7b7def6761a0a167655f90e165ca0cbf0024833b2f107cd578e6c520ed4f54
SSDEEP

12288:DDGTAY8L9W1KOFxJUuuz9PhigvacmLzlUannZIVlUfND1uAbf43vGxIRK/dUbz:IAzRW1KMxJ6igTmKKnZIVlUPM3Un1Ubz

Score

5^/10

execution

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Powershell.exeImagingDevices.exe

pid process

1584 Powershell.exe
748 ImagingDevices.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Powershell.exe

description pid process target process

PID 1584 set thread context of 748 1584 Powershell.exe ImagingDevices.exe

pid	process
1584	Powershell.exe
748	ImagingDevices.exe

description	pid	process	target process
PID 1584 set thread context of 748	1584	Powershell.exe	ImagingDevices.exe

Drops file in Program Files directory 2 IoCs

Processes:

a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Priory\Nedbrsmngde123.ini	a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe
File opened for modification	C:\Program Files (x86)\Common Files\Misaddressing.Sta	a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

Powershell.exe

pid process

1584 Powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Powershell.exe

pid process

1584 Powershell.exe
1584 Powershell.exe
1584 Powershell.exe
1584 Powershell.exe
1584 Powershell.exe
1584 Powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Powershell.exe

pid process

1584 Powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 1584 Powershell.exe

pid	process
1584	Powershell.exe

pid	process
1584	Powershell.exe
1584	Powershell.exe
1584	Powershell.exe
1584	Powershell.exe
1584	Powershell.exe
1584	Powershell.exe

pid	process
1584	Powershell.exe

description	pid	process
Token: SeDebugPrivilege	1584	Powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exePowershell.exe

description	pid	process	target process
PID 2428 wrote to memory of 1584	2428	a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe	Powershell.exe
PID 2428 wrote to memory of 1584	2428	a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe	Powershell.exe
PID 2428 wrote to memory of 1584	2428	a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe	Powershell.exe
PID 2428 wrote to memory of 1584	2428	a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe	Powershell.exe
PID 1584 wrote to memory of 2236	1584	Powershell.exe	cmd.exe
PID 1584 wrote to memory of 2236	1584	Powershell.exe	cmd.exe
PID 1584 wrote to memory of 2236	1584	Powershell.exe	cmd.exe
PID 1584 wrote to memory of 2236	1584	Powershell.exe	cmd.exe
PID 1584 wrote to memory of 748	1584	Powershell.exe	ImagingDevices.exe
PID 1584 wrote to memory of 748	1584	Powershell.exe	ImagingDevices.exe
PID 1584 wrote to memory of 748	1584	Powershell.exe	ImagingDevices.exe
PID 1584 wrote to memory of 748	1584	Powershell.exe	ImagingDevices.exe
PID 1584 wrote to memory of 748	1584	Powershell.exe	ImagingDevices.exe
PID 1584 wrote to memory of 748	1584	Powershell.exe	ImagingDevices.exe

C:\Users\Admin\AppData\Local\Temp\a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe
"C:\Users\Admin\AppData\Local\Temp\a59da8c3da0e8aa6621ef7aeb786958ea98691060e741ac5abcb328d37f6e947.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -windowstyle minimized "$Dulles = Get-Content 'C:\Users\Admin\AppData\Local\Temp\Personalerabatterne\Servicegarantiers.Met' ; $Sherryens=$Dulles.SubString(71538,3);.$Sherryens($Dulles) "
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
3⤵
PID:2236

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Genkbsvrdis.ini
Filesize
40B

MD5
67f7fb5e22799f4047a15a3914f69c2d

SHA1
06dba7dcdd82dc1f93dcfade2b685ac8ea686825

SHA256
ab226586c4f054353e0649d4cc3ea8b1fd9c6cc30e6a2c86c79bda996e5cd70b

SHA512
43d9acf5082cca2b4f615ccc866f2b69b2b8d290b807f13334cd924a1191dd9dd872a279689a625869976511e2ecbc6bafedafa1b39aa5c8cf23ab2b2a2cf1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Personalerabatterne\Servicegarantiers.Met
Filesize
69KB

MD5
2833201aa6f7fc20aa9bc6c30ada040c

SHA1
5c2248094eeef1dff5ee628b114bd16e06860abd

SHA256
a651d2d6b6ba530c879db1dc2ac0deedaf5bef5202c669523c9f3ea4c5fdf69d

SHA512
35cc2c08029c3a64481617a49ce0fe5e7100cedc0b63086e5beb9db40e766bba161fd314572a570aa7ff1842b9b9efd667b425ccf7643abbc74ff4b1aa009bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Personalerabatterne\Warpages.Hig160
Filesize
437KB

MD5
aaa2b700c96ee2b1e605f5fb52aad4d2

SHA1
60618eaa508fc6549b656b2199c2fa27b723f3e4

SHA256
8d64e3ed19f8f6165f4778e602126a532a37c1f8e242ec859f024ea4d8479547

SHA512
c77c301258a2707d011c8114359b93c5f25a9d24975a8cf1e1bf9d24aabe6b315dc35465782ab37ecc4bd5e9506678dff81b6ac3b763f1b8bb530471c4c1cd99

Download Submit
memory/748-3168-0x0000000000260000-0x00000000012C2000-memory.dmp

Filesize
16.4MB

Download
memory/1584-3159-0x0000000073D41000-0x0000000073D42000-memory.dmp

Filesize
4KB

Download
memory/1584-3160-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-3161-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-3163-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-3162-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download
memory/1584-3166-0x0000000006420000-0x00000000070F7000-memory.dmp

Filesize
12.8MB

Download
memory/1584-3167-0x0000000073D40000-0x00000000742EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing