ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe

General

Target

ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe
Size

860KB
MD5

1ae0d736c5d08b40f0fb650d3f843d12
SHA1

3ace2fdca564569720c3ba2bae89f25ffda936cb
SHA256

ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe
SHA512

0b62c90f976b7cdf7d54aa460a5143bd367b82cb501ea51751f2255325a094a075771deeae949d500aa4b4f0ba7d961d20622a8b43848b4f7456e45cfc25adb1
SSDEEP

24576:VYDoeMwkejuoLDikeCYsfgmnUqRfDqyVy8:udMErLWClguRfmyVp

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Anraabelsens\Hyposternal.udk	ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2836	powershell.exe
2588	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2588	2836	powershell.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2836	3024	ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe	30
PID 3024 wrote to memory of 2836	3024	ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe	30
PID 3024 wrote to memory of 2836	3024	ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe	30
PID 3024 wrote to memory of 2836	3024	ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe	30
PID 2836 wrote to memory of 2588	2836	powershell.exe	33
PID 2836 wrote to memory of 2588	2836	powershell.exe	33
PID 2836 wrote to memory of 2588	2836	powershell.exe	33
PID 2836 wrote to memory of 2588	2836	powershell.exe	33
PID 2836 wrote to memory of 2588	2836	powershell.exe	33
PID 2836 wrote to memory of 2588	2836	powershell.exe	33

C:\Users\Admin\AppData\Local\Temp\ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe
"C:\Users\Admin\AppData\Local\Temp\ec6d41cb09b83cde3855825ca3a2d16518a6826ad49f26a566bb40d4c48f3abe.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Autolytic=Get-Content 'C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Realties.Fur';$Ideens=$Autolytic.SubString(67937,3);.$Ideens($Autolytic) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Forhandlerbetingelsen.Snv

Filesize
355KB

MD5
1329b0e51ba6511e0c5d37101e1dbeea

SHA1
6e3396a2e16604e579dbb41a1a9373b14f406e3b

SHA256
f518381436d57eeaf5d91ad96f5c1a1563cd4bece628055c89ea2667a81d25fa

SHA512
02b9774ac262b7653a1967f9389f1824b2f4f784160c289978259ef4101ec244fbdcc43a14a330289ea8429f413d76c62a93717d62dc7912f165878e6451019e

Download Submit
C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Realties.Fur

Filesize
66KB

MD5
0946603b2d243a56cc2dc31321d238e3

SHA1
b5f9c80e6851cb91218deb1344062a09752e9ce9

SHA256
2d515849c3a0dd489b0393b0225d5fcf383d317a0d7ee6cf0006a9e8889292c1

SHA512
0a4ac583577b8466ac8f7eca2b61dd01625e52b2e4f27eb21e607cf0fc4b189787e0a210d401ee21be2a5890e39e2375dfd8605aabb1100bc5c70c8895b54fd0

Download Submit
memory/2588-19-0x0000000000C60000-0x0000000001CC2000-memory.dmp

Filesize
16.4MB

Download
memory/2836-7-0x0000000073901000-0x0000000073902000-memory.dmp

Filesize
4KB

Download
memory/2836-8-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-9-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-11-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-10-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-14-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-16-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-17-0x0000000006720000-0x000000000747B000-memory.dmp

Filesize
13.4MB

Download
memory/2836-18-0x0000000073900000-0x0000000073EAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing