938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b

General

Target

938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe
Size

862KB
MD5

4f7f20d7e243b1dd4f3ce28e7367f76f
SHA1

426479e19a29e17607f0c159021fd965dbb42302
SHA256

938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b
SHA512

a0a0f7e180f126a4b316208bc77bdb8dc978874c31616103d3f45e7d863a3b915d1ce1d6cdb1fb222bdf2ed5dab112ef44c393e402c3a1943f2bdb7d2a1322c2
SSDEEP

12288:Vt7ExDo//OtX1lxawkeVCGmQzVuoLZJNlM+gcPOtH3DwX0ZvDJ3HD6RJhZaiWKxj:XYDoeMwkejuoLD3RPOB33yvNWKxxd66b

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2556 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exestrmmer.exe

pid process

2556 powershell.exe
720 strmmer.exe

Drops file in System32 directory 1 IoCs

Processes:

938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Anraabelsens\Hyposternal.udk	938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exestrmmer.exe

pid process

2556 powershell.exe
720 strmmer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2556 set thread context of 720 2556 powershell.exe strmmer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2556 set thread context of 720	2556	powershell.exe	strmmer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exepowershell.exestrmmer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	strmmer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe
2556	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2556 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2556 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2556	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exepowershell.exe

description	pid	process	target process
PID 2740 wrote to memory of 2556	2740	938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe	powershell.exe
PID 2740 wrote to memory of 2556	2740	938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe	powershell.exe
PID 2740 wrote to memory of 2556	2740	938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe	powershell.exe
PID 2740 wrote to memory of 2556	2740	938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe	powershell.exe
PID 2556 wrote to memory of 720	2556	powershell.exe	strmmer.exe
PID 2556 wrote to memory of 720	2556	powershell.exe	strmmer.exe
PID 2556 wrote to memory of 720	2556	powershell.exe	strmmer.exe
PID 2556 wrote to memory of 720	2556	powershell.exe	strmmer.exe
PID 2556 wrote to memory of 720	2556	powershell.exe	strmmer.exe
PID 2556 wrote to memory of 720	2556	powershell.exe	strmmer.exe

C:\Users\Admin\AppData\Local\Temp\938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe
"C:\Users\Admin\AppData\Local\Temp\938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Vartabed=Get-Content 'C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Dullity.Fol';$Stratify=$Vartabed.SubString(70428,3);.$Stratify($Vartabed) "
2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\strmmer.exe
"C:\Users\Admin\AppData\Local\Temp\strmmer.exe"
3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Dullity.Fol

Filesize
68KB

MD5
c74b686e5d5f7d6a7a1aa23a9002d6d9

SHA1
adc10d9729c0cfb51b1614acc45f9882e9a087fe

SHA256
d39197c9c7f51d621d8c57e380a4bcb5c8ba56383944551f52e2f13c7ee80f6b

SHA512
e82038151aa0bee85e674d2d8bf101bc0d7d56f7aac53536d96c96a59363d0b862941a0e009985847ca5e9652de7df0970a24499b75b5a0480aaf8c73f15ef6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Persongruppe.Nyh

Filesize
361KB

MD5
fddf48fa20791312c1d1edd67d72aaee

SHA1
76eaacddf99db66c697ff74cfebca24c119df73e

SHA256
4c2ec6eb7971b635f031bc10fc6b16860de5e78408690cd699918b875d522875

SHA512
45d70acf2c2657a5ed006ba0aa69287abaa29b1696715f5562fd0adeb31682546992657954db14a66e9dbf2e82e0e2eac4b3791ccd6b6a6dd3cdc4d3a6c88a35

Download Submit
\Users\Admin\AppData\Local\Temp\strmmer.exe

Filesize
862KB

MD5
4f7f20d7e243b1dd4f3ce28e7367f76f

SHA1
426479e19a29e17607f0c159021fd965dbb42302

SHA256
938b42f084ea40da98cbb0d6cab7f424f1c7e9d6580f67634995a01facb4d98b

SHA512
a0a0f7e180f126a4b316208bc77bdb8dc978874c31616103d3f45e7d863a3b915d1ce1d6cdb1fb222bdf2ed5dab112ef44c393e402c3a1943f2bdb7d2a1322c2

Download Submit
memory/720-24-0x00000000004A0000-0x0000000001502000-memory.dmp

Filesize
16.4MB

Download
memory/2556-14-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-11-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-7-0x0000000074191000-0x0000000074192000-memory.dmp

Filesize
4KB

Download
memory/2556-9-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-16-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-17-0x0000000006710000-0x000000000C39E000-memory.dmp

Filesize
92.6MB

Download
memory/2556-18-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-10-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download
memory/2556-8-0x0000000074190000-0x000000007473B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads