Resubmissions
09-07-2024 08:24
240709-kayyraxdja 1009-07-2024 08:05
240709-jy18catfpk 809-07-2024 08:03
240709-jxzywstfln 1009-07-2024 07:56
240709-js4raawenc 1009-07-2024 07:46
240709-jl1faatarm 1009-07-2024 07:38
240709-jgh1fawajg 8Analysis
-
max time kernel
597s -
max time network
493s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 08:05
Static task
static1
Behavioral task
behavioral1
Sample
batterie daahindenes.exe
Resource
win7-20240705-en
General
-
Target
batterie daahindenes.exe
-
Size
398KB
-
MD5
b1c35e78f5d588430c4f534479def9f2
-
SHA1
f787dd3327ca04361935f74867f76f16821db99f
-
SHA256
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7
-
SHA512
5f78e6794ae313f5ca96c33fe0ecf0c882a18a93caa54bf92823ac42c5c753b6a98d4c77618de2b62cbc9d24e6e500272e4ffa7b25afff20b7e8349fc278a66c
-
SSDEEP
12288:9GkmNVhJhqnfP30YhNia+nv4tQD3W/P19QY:9GkmPh7qfPrsQeD3W/bd
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ortyginae = "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\\Audiometeret\\').Rudolph;%Monopolizables% ($masturbated)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2008 wab.exe 2008 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2432 powershell.exe 2008 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2432 set thread context of 2008 2432 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 10 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 2936 regedit.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskmgr.exepid process 2432 powershell.exe 2432 powershell.exe 2432 powershell.exe 2432 powershell.exe 2432 powershell.exe 2432 powershell.exe 2432 powershell.exe 2432 powershell.exe 1096 powershell.exe 1096 powershell.exe 1096 powershell.exe 1096 powershell.exe 1096 powershell.exe 1096 powershell.exe 1096 powershell.exe 1096 powershell.exe 3032 powershell.exe 3032 powershell.exe 3032 powershell.exe 3032 powershell.exe 3032 powershell.exe 3032 powershell.exe 3032 powershell.exe 3032 powershell.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
regedit.exeexplorer.exetaskmgr.exepid process 2936 regedit.exe 2848 explorer.exe 2580 taskmgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
powershell.exepowershell.exeexplorer.exeAUDIODG.EXEpowershell.exeexplorer.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: 33 2268 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2268 AUDIODG.EXE Token: 33 2268 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2268 AUDIODG.EXE Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeShutdownPrivilege 284 explorer.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeDebugPrivilege 2580 taskmgr.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe Token: SeShutdownPrivilege 2848 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
explorer.exeexplorer.exetaskmgr.exepid process 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe 2580 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
explorer.exeexplorer.exepid process 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 284 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe 2848 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
explorer.exepid process 284 explorer.exe 284 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
batterie daahindenes.exepowershell.exewab.execmd.exepowershell.exeexplorer.exepowershell.exeexplorer.exedescription pid process target process PID 3032 wrote to memory of 2432 3032 batterie daahindenes.exe powershell.exe PID 3032 wrote to memory of 2432 3032 batterie daahindenes.exe powershell.exe PID 3032 wrote to memory of 2432 3032 batterie daahindenes.exe powershell.exe PID 3032 wrote to memory of 2432 3032 batterie daahindenes.exe powershell.exe PID 2432 wrote to memory of 2008 2432 powershell.exe wab.exe PID 2432 wrote to memory of 2008 2432 powershell.exe wab.exe PID 2432 wrote to memory of 2008 2432 powershell.exe wab.exe PID 2432 wrote to memory of 2008 2432 powershell.exe wab.exe PID 2432 wrote to memory of 2008 2432 powershell.exe wab.exe PID 2432 wrote to memory of 2008 2432 powershell.exe wab.exe PID 2008 wrote to memory of 2544 2008 wab.exe cmd.exe PID 2008 wrote to memory of 2544 2008 wab.exe cmd.exe PID 2008 wrote to memory of 2544 2008 wab.exe cmd.exe PID 2008 wrote to memory of 2544 2008 wab.exe cmd.exe PID 2544 wrote to memory of 2616 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2616 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2616 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2616 2544 cmd.exe reg.exe PID 1096 wrote to memory of 1580 1096 powershell.exe wermgr.exe PID 1096 wrote to memory of 1580 1096 powershell.exe wermgr.exe PID 1096 wrote to memory of 1580 1096 powershell.exe wermgr.exe PID 284 wrote to memory of 3032 284 explorer.exe powershell.exe PID 284 wrote to memory of 3032 284 explorer.exe powershell.exe PID 284 wrote to memory of 3032 284 explorer.exe powershell.exe PID 3032 wrote to memory of 2600 3032 powershell.exe wermgr.exe PID 3032 wrote to memory of 2600 3032 powershell.exe wermgr.exe PID 3032 wrote to memory of 2600 3032 powershell.exe wermgr.exe PID 2848 wrote to memory of 2580 2848 explorer.exe taskmgr.exe PID 2848 wrote to memory of 2580 2848 explorer.exe taskmgr.exe PID 2848 wrote to memory of 2580 2848 explorer.exe taskmgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\batterie daahindenes.exe"C:\Users\Admin\AppData\Local\Temp\batterie daahindenes.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"4⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2616
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵PID:2708
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:2936
-
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1096" "880"2⤵PID:1580
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284 -
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "3032" "880"3⤵PID:2600
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD552adb0f7ab38f06d59f3358e8a351803
SHA15ec15aaa48cbd2a852cbf5c27831bef97e22b11f
SHA256bb9e8f95f27c2a26414412144046980f618f5b6bbb76dfd6376990429b087bce
SHA5120e50950cee99d8676e16021415b8bbf5dc9c29ec622e9b747c479dcad0854948475dd452c588297464d0a16841192e2b4227fc6bcc5c55e59cda716bb2275b49
-
Filesize
1KB
MD57f2449903a1c386d4d33278b8c03da5e
SHA16e103c0d1d028398d18470019f2f3c601f38cd26
SHA256565ee83bc2fd2271c034e558b6b64d646157b67920da2cb2cfa2f984a19700ae
SHA51215e6cc8dc8e7743df55ae8d7dbaa72f48cd26aab4f479f3b3389fe50508a36b3213a4d77e878473fd30fb967e9265550b1fc95d00c2d548646750b6de8653314
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5490919770ce4bf4f08ea6e727cd9d569
SHA17a8b6fe38a3a4f43caa1acc7b12284b79422325f
SHA256f2da85200b8d5197a93363a1f003b6436ae48fbdcd40bb4a00c49b9af23d4936
SHA512abee1c24e472e1d77d37ce344889d3baf790645f15301fbd9518603357ab7fb43d64fc6381c9cbd3fe25da0e4c351fc3a5ecd4a71fe774e80681e0c8687daab0
-
Filesize
344KB
MD51a78d0f226d0db154812e61b8cadb4b8
SHA1e76650e32ed8bc1e3d72dde1aa6566ff031e0c6e
SHA25619997e372b58bcd5bacd8b199b1633307f0c89fc3ce7abfd4087ec739742f78e
SHA512b06759e8bfeb73187c5277aaaa9c6489f51a88f42b461ec0775de6741f6b797dc3c2cbb8f6cf79815078a420a26cde9cedd861c4d16ac73a037e2160efc4ec41
-
Filesize
68KB
MD5d89dac6d6bcfb431c31bdf7d21f48fbd
SHA12f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9
SHA256ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b
SHA51276eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070
-
Filesize
2.7MB
MD5ac4c51eb24aa95b77f705ab159189e24
SHA14583daf9442880204730fb2c8a060430640494b1
SHA2566a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a
SHA512011bfe19bd15dcc0f9850575e20d7f2c01160ec98ba461ad59a51b9417049e6475648b9056990247699624b080cf609ec7b5409231cfb46a012d723f7db08d81