225c8b858d69c4e83b829239690e4a1d949ad15451788eb944744ded077bdfc1

General

Target

Overdue invoices.exe
Size

940KB
MD5

c7b087e71a071682a9b3db6c81933d71
SHA1

18aaa45e787e719b74e6d3e01d3cfbbbef4797ff
SHA256

9e7e7b336ebca231604ff7e00ac74974c885c0c27d7e671767e4f04655d42f44
SHA512

cbfc05afef4c590078e5fd9c429d45a4ae9b33e5cf3c4059fff2d7f9450d7b038682ce4188c8bfd99f5b4e1f26dbb97cd43067ee1eed837e94d3f660d12a97f0
SSDEEP

24576:owIC9jSMMMMMHLMMMMMMMMMMMMMoN8sLEACrlC9d1IKzMwESaUnrRbzIWF:FIC9jSMMMMMHLMMMMMMMMMMMMMy8sLEU

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1400	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1400	powershell.exe
2808	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 2808	1400	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1400	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1400	2416	Overdue invoices.exe	28
PID 2416 wrote to memory of 1400	2416	Overdue invoices.exe	28
PID 2416 wrote to memory of 1400	2416	Overdue invoices.exe	28
PID 2416 wrote to memory of 1400	2416	Overdue invoices.exe	28
PID 1400 wrote to memory of 2728	1400	powershell.exe	30
PID 1400 wrote to memory of 2728	1400	powershell.exe	30
PID 1400 wrote to memory of 2728	1400	powershell.exe	30
PID 1400 wrote to memory of 2728	1400	powershell.exe	30
PID 1400 wrote to memory of 2808	1400	powershell.exe	32
PID 1400 wrote to memory of 2808	1400	powershell.exe	32
PID 1400 wrote to memory of 2808	1400	powershell.exe	32
PID 1400 wrote to memory of 2808	1400	powershell.exe	32
PID 1400 wrote to memory of 2808	1400	powershell.exe	32
PID 1400 wrote to memory of 2808	1400	powershell.exe	32

C:\Users\Admin\AppData\Local\Temp\Overdue invoices.exe
"C:\Users\Admin\AppData\Local\Temp\Overdue invoices.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Omphalopsychite=Get-Content 'C:\Users\Admin\AppData\Roaming\paeony\deputising\Genfremsttelserne\Udskriftsprogrammets152\Vernalizes.Unm';$Overherredmmerne=$Omphalopsychite.SubString(50910,3);.$Overherredmmerne($Omphalopsychite)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2728
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\paeony\deputising\Genfremsttelserne\Udskriftsprogrammets152\Vernalizes.Unm

Filesize
49KB

MD5
3c3d4c407384bb53c576b50c2af8bbef

SHA1
148684cbcd0b18289ed12f32b12005b75f5ad2cb

SHA256
254b0abed54dcce4cea7d28471894f133ebd9cbad49b93ee1efb1a0cc717aacd

SHA512
98af0251d7e36fe8691a72bdf6ac24138f40ff4f18d458de5a2a691fdc6dd8bef984be89338bd94a3c4849aea3941f6aa639158e04da60f88688b4f376f0190b

Download Submit
C:\Users\Admin\AppData\Roaming\paeony\deputising\Genfremsttelserne\Udskriftsprogrammets152\nybygning.Nyn

Filesize
337KB

MD5
49bd71b2fe0d79a738da25247b74cf1d

SHA1
c960adb895de16014b32ce1eb64df735082f9cb8

SHA256
4f7862531f398dbb81ae5a1388caa96dda5a5e5ab1d2771bc2c7d348dc64e544

SHA512
daf0eb15a2f42eef300cc4acd9b7639f79e4168ef23ac75ec81062a0c69631747f9c2223cad65411b4c39e48be672a44d0b5b46da9034e18087f89b60457ba54

Download Submit
memory/1400-8-0x00000000744F1000-0x00000000744F2000-memory.dmp

Filesize
4KB

Download
memory/1400-9-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-12-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-11-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-10-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1400-16-0x0000000006680000-0x000000000A8E8000-memory.dmp

Filesize
66.4MB

Download
memory/1400-17-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-18-0x0000000000DB0000-0x0000000001E12000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing