21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34

General

Target

21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe
Size

839KB
MD5

8332816fb3dba886718acb8f6a9f2861
SHA1

dc8dcc1bfbcde022c91b30841c6691e4a4e4cb1c
SHA256

21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34
SHA512

f6a78c95c2ac475d7d27bdd6220313344c8b910ed456b5e0a39610b69fd8360b63bcaf69a99bc5185b06cf7d9c6133b6f9736f25a16ea35e5e4626c411fcbce7
SSDEEP

12288:8t7ExDo//OtX1lxawkeVCGmQzVuoLZJat+8kWEP59h7geXULKC24/2ZJkasF1rbE:4YDoeMwkejuoLD4+8ej1k/2rkaMrzrQ

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1364 powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Anraabelsens\Hyposternal.udk	21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1364 powershell.exe
2812 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1364 set thread context of 2812 1364 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1364 set thread context of 2812	1364	powershell.exe	wab.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exepowershell.exewab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1364 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1364 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1364	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exepowershell.exe

description	pid	process	target process
PID 2328 wrote to memory of 1364	2328	21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe	powershell.exe
PID 2328 wrote to memory of 1364	2328	21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe	powershell.exe
PID 2328 wrote to memory of 1364	2328	21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe	powershell.exe
PID 2328 wrote to memory of 1364	2328	21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe	powershell.exe
PID 1364 wrote to memory of 2812	1364	powershell.exe	wab.exe
PID 1364 wrote to memory of 2812	1364	powershell.exe	wab.exe
PID 1364 wrote to memory of 2812	1364	powershell.exe	wab.exe
PID 1364 wrote to memory of 2812	1364	powershell.exe	wab.exe
PID 1364 wrote to memory of 2812	1364	powershell.exe	wab.exe
PID 1364 wrote to memory of 2812	1364	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe
"C:\Users\Admin\AppData\Local\Temp\21ff26bcc1f11e4cdff0a08eb6ca2b617f27e84476bcadfcdf946fcb9baaaa34.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Macchie=Get-Content 'C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Interesseres.Rec';$Dynelfterens=$Macchie.SubString(71290,3);.$Dynelfterens($Macchie) "
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Ingvors.Uns

Filesize
314KB

MD5
c526175cef18c8800f06ff7031a94ccd

SHA1
499d702c3c0f56fb8808d96624a53b7b36b5779c

SHA256
1060a17935cf0b6ab4eeb74ba452f605a28ade6635278588bf7177bf067b312f

SHA512
407647f8e2c7322e4c5d5d19126769b016719d79572b5c39b68512e904145291d165d1cc2df9e7674391bca2d1532cdf3c77c6312cdf0b90d4c8be8db4cfb127

Download Submit
C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Interesseres.Rec

Filesize
69KB

MD5
f835ee34694aaec3878581cc1da73b8d

SHA1
36eae8244653d43c8d0d882d2f99a7515b16a2b3

SHA256
53e2807103dc35bf4e4a40b1bd0c718a4a4cee9fd0dab290c6f979ad407cf7ad

SHA512
23a260bdd71856a754334fa25d3233b0df27e26e562a052bebfa6e67842f57acac863e1c7858c4a6441fe7c68b949a29ae96fc3e95df4951dd8e1414f619d96e

Download Submit
memory/1364-7-0x0000000074501000-0x0000000074502000-memory.dmp

Filesize
4KB

Download
memory/1364-9-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-10-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-8-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-13-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-15-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1364-16-0x00000000067D0000-0x00000000097F4000-memory.dmp

Filesize
48.1MB

Download
memory/1364-17-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-18-0x0000000000B90000-0x0000000001BF2000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads