81645015b100a9f7759fa73ef49879ff9be5795c3b073516c3e1a040af057c7f

General

Target

HSBC_PAYMENT.exe
Size

838KB
MD5

012a8c2d8d89f5a899644738b1dbeddf
SHA1

0b2c6fdc0a100726884d239429fef4bba6208071
SHA256

81645015b100a9f7759fa73ef49879ff9be5795c3b073516c3e1a040af057c7f
SHA512

cd8968f5a4bcce5882d55f95361c3ea6889be04794ba93405bfc64c1881e607073ce20861b2bdafc3a10639ce87073a701148d6be040648ea98686aa2d078df5
SSDEEP

24576:nYDoeMwkejuoLD9B9qwZXfOOu4WK7wZ36BDB:YdMErLRjqwZXmOH/7wZqBd

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2920	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Anraabelsens\Hyposternal.udk	HSBC_PAYMENT.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2920	powershell.exe
3016	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 3016	2920	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSBC_PAYMENT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2920	2784	HSBC_PAYMENT.exe	31
PID 2784 wrote to memory of 2920	2784	HSBC_PAYMENT.exe	31
PID 2784 wrote to memory of 2920	2784	HSBC_PAYMENT.exe	31
PID 2784 wrote to memory of 2920	2784	HSBC_PAYMENT.exe	31
PID 2920 wrote to memory of 3016	2920	powershell.exe	34
PID 2920 wrote to memory of 3016	2920	powershell.exe	34
PID 2920 wrote to memory of 3016	2920	powershell.exe	34
PID 2920 wrote to memory of 3016	2920	powershell.exe	34
PID 2920 wrote to memory of 3016	2920	powershell.exe	34
PID 2920 wrote to memory of 3016	2920	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_PAYMENT.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Strkeste=Get-Content 'C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Starktlugtendes.Squ';$Inceptions=$Strkeste.SubString(71025,3);.$Inceptions($Strkeste) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Slamsugningernes190.Cra

Filesize
312KB

MD5
97b800ad73c8e49b2a66562d539b9032

SHA1
d51c32ef4749bd48b57bbee190a0df6c86041099

SHA256
467afaf1334cf744fb385926fad5e8e9c28bf83e7f12c7a62236aacce30b4aac

SHA512
3f4bb8811e996fb5ba0cc0735dd86d25103e77002a52847319006cc2b8f9c4c3a0cd18d43b7f928094433ec073bfa68e66d1e4b83e26161ee501f9cd42fe2ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Starktlugtendes.Squ

Filesize
69KB

MD5
02a66897fdd3fb23fd89bcac42eb95ee

SHA1
149ac980d9f5b2fe93a111fad7df17f07e68221f

SHA256
4a2c5f33114580ac2b4923c96f0ec7505556604f8a8ff144450268beb15ffe99

SHA512
f80b924d0619aa7fba7f3a5a5d0242e0dc545c31bbc3aa632babbe16c51131a2c40fdb393d1d450c157d00cf018934c37905ccdb90b7bd9c783a3b2d5f90d679

Download Submit
memory/2920-7-0x0000000073D91000-0x0000000073D92000-memory.dmp

Filesize
4KB

Download
memory/2920-8-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-9-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-10-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-11-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-14-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-16-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-17-0x0000000006560000-0x00000000092AA000-memory.dmp

Filesize
45.3MB

Download
memory/2920-18-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-19-0x00000000006B0000-0x0000000001712000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing