Analysis
-
max time kernel
133s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09/07/2024, 09:49
Static task
static1
Behavioral task
behavioral1
Sample
EGS-EP2409 备件申请单 (HATCH COVER).exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
EGS-EP2409 备件申请单 (HATCH COVER).exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
Middle/messingens/Sortkjolernes67/Permanganic.ps1
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Middle/messingens/Sortkjolernes67/Permanganic.ps1
Resource
win10v2004-20240704-en
General
-
Target
Middle/messingens/Sortkjolernes67/Permanganic.ps1
-
Size
59KB
-
MD5
11e1974573075a613a43f0b1678e8ac8
-
SHA1
4ac842d91c14c5f2be7541223568336d7efab375
-
SHA256
847c0aec5765d5fbe9c72aee962ed9939e079877eb557b77532e20ef0236c3a9
-
SHA512
005bbec6429afc827d5ecd55dc85bbde2b8a65d3bd047ed046375ae6438a7cf87adc95420db7a4f7fde3d1e693c5797ef0ee1e7b7ac5500ab7649e8fb19fc6bc
-
SSDEEP
1536:q85lZ8tkEDlXpUJaYx23/qLZfHJ1qR8S0o6iUH:9pokYpsa6Blx1vU8H
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
pid Process 588 powershell.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 588 powershell.exe 588 powershell.exe 588 powershell.exe 588 powershell.exe 588 powershell.exe 588 powershell.exe 588 powershell.exe 588 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 604 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 588 powershell.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe Token: SeShutdownPrivilege 604 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe 604 explorer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 588 wrote to memory of 2776 588 powershell.exe 32 PID 588 wrote to memory of 2776 588 powershell.exe 32 PID 588 wrote to memory of 2776 588 powershell.exe 32 PID 588 wrote to memory of 2828 588 powershell.exe 34 PID 588 wrote to memory of 2828 588 powershell.exe 34 PID 588 wrote to memory of 2828 588 powershell.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Middle\messingens\Sortkjolernes67\Permanganic.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"2⤵PID:2776
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "588" "1088"2⤵PID:2828
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c5d0ea2e34a7e6da18e5154feea0f14d
SHA15ba2d29905c1be87bfa2b02877c3b2186f78abe5
SHA2569ddff845f825ccce26db64caeae024fad135c8332e0d3b6034c0ab09fca06d67
SHA512a63c42a19f4c28fd7e62d4fb0826ea12de634d1720dc78aca1cb788ae96aba04b118349ded3f39d65e3b4caa984dba5fe5ccfe177ad4bd20636236618a299c43