33378a24fc1ab1d40b1e097511aeaaac6535dbe6089aa30f3347b0bf704353d0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Schlafenleger.exe
Size

15.3MB
Sample

240825-277qlasepk
MD5

d160e4e898b26206832913416a0505d5
SHA1

eee186ecb7cf189ee93f7dfa8122b24652e8c1c5
SHA256

33378a24fc1ab1d40b1e097511aeaaac6535dbe6089aa30f3347b0bf704353d0
SHA512

cb118cc036090e1a053db679e160e25f0c66615831e237b0fb3694e6153b493c0d9d652c7b855da3326416c66fa64d56d08240c342ba6d65774972a392c733f1
SSDEEP

393216:5zdL1ptQ+EsJCiHVI86Z1pgB2zcKbynHdzvCn0aI3v:hDQyDevpg0cKqz6K3v

Score

8^/10

execution persistence

Malware Config

Targets

- Target
  
  Schlafenleger.exe
- Size
  
  15.3MB
- MD5
  
  d160e4e898b26206832913416a0505d5
- SHA1
  
  eee186ecb7cf189ee93f7dfa8122b24652e8c1c5
- SHA256
  
  33378a24fc1ab1d40b1e097511aeaaac6535dbe6089aa30f3347b0bf704353d0
- SHA512
  
  cb118cc036090e1a053db679e160e25f0c66615831e237b0fb3694e6153b493c0d9d652c7b855da3326416c66fa64d56d08240c342ba6d65774972a392c733f1
- SSDEEP
  
  393216:5zdL1ptQ+EsJCiHVI86Z1pgB2zcKbynHdzvCn0aI3v:hDQyDevpg0cKqz6K3v
Score

8^/10

execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

executionpersistence