c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba

General

Target

c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
Size

597KB
MD5

01fcb8fb62b7bcf6fa81e765d0c3f571
SHA1

2fb9a233ba5c4ec26c275b10300b2e5b57baa435
SHA256

c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba
SHA512

059f448f4db5e4ca667bc2a7fec0f45705aa9217bdb0bce701670df75cb29739cea2cdd4f1123cd6ff8d164d8552448b28def00c88ae1ff850f8cca0667230ec
SSDEEP

12288:1oGrkbKNHKTGwvqXsIkkTLlrvK94BPbSGgW:1oGIbIHKT7vCgk3lLu61n

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bores.lnk	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File created	C:\Windows\SysWOW64\Pentose.lnk	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\SysWOW64\Pentose.lnk	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\SysWOW64\playgoers.sep	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File created	C:\Windows\SysWOW64\bores.lnk	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Vaginismus.ini	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\nvningedomstol\arbejdskommando.sto	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\Pygopagus172\matthfus.ala	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Program Files (x86)\Common Files\lnstigningsmnstre\Ccny.sta	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\yer.ini	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\truthlessly\Stablish.ini	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\resources\0409\ejerlst.uns	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
File opened for modification	C:\Windows\resources\fysiurg\Cheesecutter.ini	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
664	2904	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 2904	3660	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe	81
PID 3660 wrote to memory of 2904	3660	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe	81
PID 3660 wrote to memory of 2904	3660	c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe	81
PID 2904 wrote to memory of 3480	2904	powershell.exe	83
PID 2904 wrote to memory of 3480	2904	powershell.exe	83
PID 2904 wrote to memory of 3480	2904	powershell.exe	83

C:\Users\Admin\AppData\Local\Temp\c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe
"C:\Users\Admin\AppData\Local\Temp\c28ec21beda0688372e11e53a55f494fd0278929322019739c0084638716a3ba.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Gelpjen=Get-Content 'C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Usmmeligheds.Tro';$Anigonus=$Gelpjen.SubString(51086,3);.$Anigonus($Gelpjen)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 2640
    3⤵
    - Program crash
    PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2904 -ip 2904
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ifewg0ur.z3y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fingerstningerne\flagellulae\Usmmeligheds.Tro

Filesize
49KB

MD5
effee95945c050b65310d4e05a17d897

SHA1
663db609ae44ccf619242830ca0b6fd20ec481f8

SHA256
6439dc73d1ce981c431de40f0a01210c6c14e202bf02c5b2047db7bcf2cca9a6

SHA512
bcadab2333af674c6cefdcd3ae0b87016a77fb7908c5b80326ec372642c46f67548623263a889a645945c1bb1e8f0035b199abe461709ab84128e2af7c3a6db2

Download Submit
C:\Windows\SysWOW64\bores.lnk

Filesize
1KB

MD5
cb2819ceb47f59dce96ed438d1b63ff8

SHA1
15882c50a86484d1c218e1b686e9f942782083d8

SHA256
cd80cd102aa6a8bf79497f6b57eabbf2d43cd1fdf49559a807a94db22dc47850

SHA512
7651632764cc86f16862163a48f6b09f14b0da094b1fbfb796ffc46ea1cc37420483e9f88b6fde4b490742ba5b5b4822e07c9bea13d0233e83ce58d427b0188a

Download Submit
C:\Windows\yer.ini

Filesize
38B

MD5
e58f8a2dcf15a626bc785906a24d269a

SHA1
451f8692070432dbd0232c61631cb49874323fd7

SHA256
39b313e3f6e503de2657691e96235891834d12dab42957e62aea1c588c35bc83

SHA512
7c33aec2758c72eb727f156ca5946626409a1b2ad22a980801436acacac1bf05eac231a2a0cc2858d369a54cbfa3cafdbd449ce696bf6c8fcecfb53699a75bd3

Download Submit
memory/2904-94-0x00000000057B0000-0x0000000005B04000-memory.dmp

Filesize
3.3MB

Download
memory/2904-106-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/2904-73-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/2904-76-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/2904-77-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/2904-68-0x00000000050A0000-0x00000000056C8000-memory.dmp

Filesize
6.2MB

Download
memory/2904-67-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/2904-66-0x0000000002800000-0x0000000002836000-memory.dmp

Filesize
216KB

Download
memory/2904-97-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/2904-72-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/2904-112-0x00000000062E0000-0x00000000062FA000-memory.dmp

Filesize
104KB

Download
memory/2904-111-0x0000000006320000-0x00000000063B6000-memory.dmp

Filesize
600KB

Download
memory/2904-113-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

Filesize
136KB

Download
memory/2904-114-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/2904-65-0x00000000734EE000-0x00000000734EF000-memory.dmp

Filesize
4KB

Download
memory/2904-116-0x0000000007FD0000-0x000000000864A000-memory.dmp

Filesize
6.5MB

Download
memory/2904-117-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing