21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86 | Triage

Resubmissions

10/07/2024, 19:23

240710-x3w13sxhqh 8

10/07/2024, 19:21

240710-x2ytaaxhma 10

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 19:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe
Size

488KB
MD5

60b3d713550cd09b16181971027e0df5
SHA1

b5ffb312af1ebc5afd7c7b839fcbd1abaece6503
SHA256

21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86
SHA512

125132cceeb9256b6b64fcaf263187c218ec483296a7ab6cc820cb9ab4e096d0f8c9e064167df67c8fdb91cc9622021374629b8c6795e5d76de3a0c4781c6cab
SSDEEP

12288:R0NwzUrQ2sgRZFh/rRAgYBNL3bHGwkuDvU3BbG:fzSQ25NBONLLQLRC

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

PowerShell

pid	Process
3060	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Paragraphia233.exe

Loads dropped DLL 5 IoCs

pid	Process
4036	21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe
4036	21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe
4036	21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe
4036	21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe
3552	Paragraphia233.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Filmologs = "%heterogametism% -windowstyle minimized $Akkompagneredes=(Get-ItemProperty -Path 'HKCU:\\Plotinic\\').Vitaminerne;%heterogametism% ($Akkompagneredes)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

flow	ioc
53	drive.google.com
18	drive.google.com
32	drive.google.com
51	drive.google.com
52	drive.google.com
39	drive.google.com
40	drive.google.com
41	drive.google.com
17	drive.google.com
21	drive.google.com
29	drive.google.com
31	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3060	powershell.exe
3552	Paragraphia233.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 3552	3060	powershell.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

resource	yara_rule
behavioral3/files/0x000a00000001e5ff-61.dat	nsis_installer_1
behavioral3/files/0x000a00000001e5ff-61.dat	nsis_installer_2

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
3504	reg.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3060	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 3060	4036	21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe	86
PID 4036 wrote to memory of 3060	4036	21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe	86
PID 4036 wrote to memory of 3060	4036	21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe	86
PID 3060 wrote to memory of 3552	3060	powershell.exe	89
PID 3060 wrote to memory of 3552	3060	powershell.exe	89
PID 3060 wrote to memory of 3552	3060	powershell.exe	89
PID 3060 wrote to memory of 3552	3060	powershell.exe	89
PID 3060 wrote to memory of 3552	3060	powershell.exe	89
PID 3552 wrote to memory of 2936	3552	Paragraphia233.exe	90
PID 3552 wrote to memory of 2936	3552	Paragraphia233.exe	90
PID 3552 wrote to memory of 2936	3552	Paragraphia233.exe	90
PID 2936 wrote to memory of 3504	2936	cmd.exe	92
PID 2936 wrote to memory of 3504	2936	cmd.exe	92
PID 2936 wrote to memory of 3504	2936	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe
"C:\Users\Admin\AppData\Local\Temp\21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Sludrebttes113=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Hormonbalance\Impoverishes.Skj';$Dissimileres198=$Sludrebttes113.SubString(59295,3);.$Dissimileres198($Sludrebttes113)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\Paragraphia233.exe
    "C:\Users\Admin\AppData\Local\Temp\Paragraphia233.exe"
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Filmologs" /t REG_EXPAND_SZ /d "%heterogametism% -windowstyle minimized $Akkompagneredes=(Get-ItemProperty -Path 'HKCU:\Plotinic\').Vitaminerne;%heterogametism% ($Akkompagneredes)"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Filmologs" /t REG_EXPAND_SZ /d "%heterogametism% -windowstyle minimized $Akkompagneredes=(Get-ItemProperty -Path 'HKCU:\Plotinic\').Vitaminerne;%heterogametism% ($Akkompagneredes)"
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Paragraphia233.exe

Filesize
488KB

MD5
60b3d713550cd09b16181971027e0df5

SHA1
b5ffb312af1ebc5afd7c7b839fcbd1abaece6503

SHA256
21a7f19500a40c4302ccff91f9c4aa34b713cc07183cd83ca45852b6a00afd86

SHA512
125132cceeb9256b6b64fcaf263187c218ec483296a7ab6cc820cb9ab4e096d0f8c9e064167df67c8fdb91cc9622021374629b8c6795e5d76de3a0c4781c6cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_im4p2eib.uzh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBCE8.tmp\BgImage.dll

Filesize
7KB

MD5
521df745a41f0b8164ffd01717cacbba

SHA1
dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74

SHA256
dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b

SHA512
c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBCE8.tmp\UserInfo.dll

Filesize
4KB

MD5
acbda33dd5700c122e2fe48e3d4351fd

SHA1
2c154baf7c64052ee712b7cdf9c36b7697dd3fc8

SHA256
943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0

SHA512
d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBCE8.tmp\nsDialogs.dll

Filesize
9KB

MD5
1c8b2b40c642e8b5a5b3ff102796fb37

SHA1
3245f55afac50f775eb53fd6d14abb7fe523393d

SHA256
8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c

SHA512
4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57

Download Submit
C:\Users\Admin\AppData\Local\kilns\Unobtainably\Hormonbalance\Deprivationens.Kok

Filesize
325KB

MD5
6bec9c5534eb1f475e02527356576362

SHA1
b1766b4b752233ea7d31eccd59e877ad0df46654

SHA256
261b0be710c8d1692957a8964538011f22dc90177c643bb97fb24f0c341a4d33

SHA512
6bf92642cd5431c997855ed9c9a6cc2acd057ec002297f44e6a3607596d58d9727a2079655a3ccbd1566e18010f30c1cc39751235a86cb485e0f4d589ac89a6c

Download Submit
C:\Users\Admin\AppData\Local\kilns\Unobtainably\Hormonbalance\Impoverishes.Skj

Filesize
71KB

MD5
3caa4ac857f4a0000da1b905a819ae72

SHA1
bc1bd3a4b5a1b37c1b213d05c9ed8c472a818949

SHA256
0d92f75f821620f9df25844a0b43c2be5763799f32a61c68f9baeeebe45560fc

SHA512
abe4ec64665c8bc701219fae130e25073a4c76a98dd36cb5dd29e1eefc5d7ceb40e3d0e37dc7d1b2d3d84c4e38437883c09a6523c0d3393730659b220aac8e83

Download Submit
memory/3060-47-0x0000000007330000-0x00000000078D4000-memory.dmp

Filesize
5.6MB

Download
memory/3060-51-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-30-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/3060-31-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/3060-28-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-38-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/3060-42-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/3060-43-0x0000000005D10000-0x0000000005D5C000-memory.dmp

Filesize
304KB

Download
memory/3060-44-0x0000000006240000-0x00000000062D6000-memory.dmp

Filesize
600KB

Download
memory/3060-45-0x00000000061F0000-0x000000000620A000-memory.dmp

Filesize
104KB

Download
memory/3060-46-0x0000000006CB0000-0x0000000006CD2000-memory.dmp

Filesize
136KB

Download
memory/3060-26-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-27-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/3060-49-0x0000000007F60000-0x00000000085DA000-memory.dmp

Filesize
6.5MB

Download
memory/3060-52-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-29-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/3060-53-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-25-0x00000000026A0000-0x00000000026D6000-memory.dmp

Filesize
216KB

Download
memory/3060-55-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-57-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-56-0x00000000085E0000-0x000000000B273000-memory.dmp

Filesize
44.6MB

Download
memory/3060-58-0x000000007399E000-0x000000007399F000-memory.dmp

Filesize
4KB

Download
memory/3060-60-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-24-0x000000007399E000-0x000000007399F000-memory.dmp

Filesize
4KB

Download
memory/3060-63-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-65-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-72-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3060-67-0x0000000073990000-0x0000000074140000-memory.dmp

Filesize
7.7MB

Download
memory/3552-64-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download