26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24

General

Target

26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe
Size

962KB
MD5

801b729c693ea54cbaffa5ad03f84346
SHA1

6f2fbb7a0d66b84dea8f86d45536897d2aa3f0ef
SHA256

26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24
SHA512

b8adbda9614d5bf6899002edae7a5698a71e735bac33dcf6c953dacb1b3f66db79728d634c8391f9499fdc8a79763ad368798d8877004db73005f75ee9d7d398
SSDEEP

24576:Y41WsaGlhU1lP8VXrkHVblX76J9JjVesoF9Op:YGbaGYbU5Q1Be9JxNoY

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2172	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	powershell.exe
2788	Transcribbler.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Polypides% -windowstyle minimized $Betragnings=(Get-ItemProperty -Path 'HKCU:\\Uigengldtes\\').Dysteleologically;%Polypides% ($Betragnings)"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2172	powershell.exe
2788	Transcribbler.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2788	2172	powershell.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\rigelige\motorcyclists.tot	26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe
File opened for modification	C:\Program Files (x86)\aflagte.pld	26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transcribbler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2796	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2172	1984	26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe	30
PID 1984 wrote to memory of 2172	1984	26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe	30
PID 1984 wrote to memory of 2172	1984	26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe	30
PID 1984 wrote to memory of 2172	1984	26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe	30
PID 2172 wrote to memory of 2788	2172	powershell.exe	33
PID 2172 wrote to memory of 2788	2172	powershell.exe	33
PID 2172 wrote to memory of 2788	2172	powershell.exe	33
PID 2172 wrote to memory of 2788	2172	powershell.exe	33
PID 2172 wrote to memory of 2788	2172	powershell.exe	33
PID 2172 wrote to memory of 2788	2172	powershell.exe	33
PID 2788 wrote to memory of 2692	2788	Transcribbler.exe	34
PID 2788 wrote to memory of 2692	2788	Transcribbler.exe	34
PID 2788 wrote to memory of 2692	2788	Transcribbler.exe	34
PID 2788 wrote to memory of 2692	2788	Transcribbler.exe	34
PID 2692 wrote to memory of 2796	2692	cmd.exe	36
PID 2692 wrote to memory of 2796	2692	cmd.exe	36
PID 2692 wrote to memory of 2796	2692	cmd.exe	36
PID 2692 wrote to memory of 2796	2692	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe
"C:\Users\Admin\AppData\Local\Temp\26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Moraliseredes=Get-Content 'C:\Users\Admin\AppData\Roaming\sorteringsformens\tintallerknen\enervate\Noninfusibness\Gwendolen.Idi';$Prepaste=$Moraliseredes.SubString(54339,3);.$Prepaste($Moraliseredes)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\Transcribbler.exe
    "C:\Users\Admin\AppData\Local\Temp\Transcribbler.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Polypides% -windowstyle minimized $Betragnings=(Get-ItemProperty -Path 'HKCU:\Uigengldtes\').Dysteleologically;%Polypides% ($Betragnings)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Polypides% -windowstyle minimized $Betragnings=(Get-ItemProperty -Path 'HKCU:\Uigengldtes\').Dysteleologically;%Polypides% ($Betragnings)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\sorteringsformens\tintallerknen\enervate\Noninfusibness\Gwendolen.Idi

Filesize
53KB

MD5
9d1a07ed8c7eeecf4a769ba6fef27313

SHA1
3311c7a9221a4c082ef2434ec9af4fbac09afad9

SHA256
5aa0cef2a2931f9370db9296fec2953f782cf03eac1486472be726d94bcf9a58

SHA512
63d91ea5993fbcce8c25c0c4a79c600e773bae8e6f3926da8407bfc65969eea7379669d9e897554547d38d3403d8c7034a490905b87d45c1600c5180db8fc500

Download Submit
C:\Users\Admin\AppData\Roaming\sorteringsformens\tintallerknen\enervate\Noninfusibness\Unangelic.Mor

Filesize
292KB

MD5
bb8106571944b466aa93006059df40f3

SHA1
1e3e70439a289a82f7b670811addc02fe126db2f

SHA256
3e497a63b7e844d78777819f925a58c00b56e4da22b21efe86f9e6a25c4918d8

SHA512
bedd53c6f058ead8d6bc7077efffa295ccfaa5b6e211aa58814ae69b32b80d1eefe0425b59845f36c8a386e636ad1ce1d4d78516464cb80c9d14a8103a001b0b

Download Submit
\Users\Admin\AppData\Local\Temp\Transcribbler.exe

Filesize
962KB

MD5
801b729c693ea54cbaffa5ad03f84346

SHA1
6f2fbb7a0d66b84dea8f86d45536897d2aa3f0ef

SHA256
26c4b29aecab745ea5c53cbc27c913397839601eeeea8a5bce6f667ebc029f24

SHA512
b8adbda9614d5bf6899002edae7a5698a71e735bac33dcf6c953dacb1b3f66db79728d634c8391f9499fdc8a79763ad368798d8877004db73005f75ee9d7d398

Download Submit
memory/2172-17-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-12-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-13-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-10-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/2172-14-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-19-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-20-0x0000000006480000-0x000000000793B000-memory.dmp

Filesize
20.7MB

Download
memory/2172-11-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-25-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-26-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads