33378a24fc1ab1d40b1e097511aeaaac6535dbe6089aa30f3347b0bf704353d0

Analysis

max time kernel
99s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Schlafenleger.exe
Size

15.3MB
MD5

d160e4e898b26206832913416a0505d5
SHA1

eee186ecb7cf189ee93f7dfa8122b24652e8c1c5
SHA256

33378a24fc1ab1d40b1e097511aeaaac6535dbe6089aa30f3347b0bf704353d0
SHA512

cb118cc036090e1a053db679e160e25f0c66615831e237b0fb3694e6153b493c0d9d652c7b855da3326416c66fa64d56d08240c342ba6d65774972a392c733f1
SSDEEP

393216:5zdL1ptQ+EsJCiHVI86Z1pgB2zcKbynHdzvCn0aI3v:hDQyDevpg0cKqz6K3v

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1320	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1788	disable.exe
3392	schlafenleger.EXE
4292	FprSpread.exe
3160	schlafi.exe
4896	OffsetToStringData.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	schlafenleger.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Schlafenleger.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2248	Schlafenleger.exe
2248	Schlafenleger.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 3260	4896	OffsetToStringData.exe	116

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2248	Schlafenleger.exe
2248	Schlafenleger.exe
1788	disable.exe
1788	disable.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
3260	AddInUtil.exe
3260	AddInUtil.exe
3260	AddInUtil.exe
3260	AddInUtil.exe
3260	AddInUtil.exe
3260	AddInUtil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	disable.exe
Token: SeImpersonatePrivilege	1788	disable.exe
Token: SeDebugPrivilege	4292	FprSpread.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	4896	OffsetToStringData.exe
Token: SeDebugPrivilege	3260	AddInUtil.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1788	2248	Schlafenleger.exe	88
PID 2248 wrote to memory of 1788	2248	Schlafenleger.exe	88
PID 2248 wrote to memory of 3392	2248	Schlafenleger.exe	91
PID 2248 wrote to memory of 3392	2248	Schlafenleger.exe	91
PID 3392 wrote to memory of 4292	3392	schlafenleger.EXE	92
PID 3392 wrote to memory of 4292	3392	schlafenleger.EXE	92
PID 3392 wrote to memory of 3160	3392	schlafenleger.EXE	108
PID 3392 wrote to memory of 3160	3392	schlafenleger.EXE	108
PID 4896 wrote to memory of 3260	4896	OffsetToStringData.exe	116
PID 4896 wrote to memory of 3260	4896	OffsetToStringData.exe	116
PID 4896 wrote to memory of 3260	4896	OffsetToStringData.exe	116
PID 4896 wrote to memory of 3260	4896	OffsetToStringData.exe	116
PID 4896 wrote to memory of 3260	4896	OffsetToStringData.exe	116
PID 4896 wrote to memory of 3260	4896	OffsetToStringData.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Schlafenleger.exe
"C:\Users\Admin\AppData\Local\Temp\Schlafenleger.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\schlafenleger.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\schlafenleger.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FprSpread.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FprSpread.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\schlafi.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\schlafi.exe
    3⤵
    - Executes dropped EXE
    PID:3160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAXABPAGYAZgBzAGUAdABUAG8AUwB0AHIAaQBuAGcARABhAHQAYQAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAFwATwBmAGYAcwBlAHQAVABvAFMAdAByAGkAbgBnAEQAYQB0AGEALgBlAHgAZQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Users\Admin\AppData\Roaming\PropertyName\OffsetToStringData.exe
C:\Users\Admin\AppData\Roaming\PropertyName\OffsetToStringData.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable.exe

Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\schlafenleger.EXE

Filesize
1.2MB

MD5
dad1e64e71d7d8c72a80f7cb103ed80f

SHA1
88c86de0dd6b140e4c64e5934be2d27e2b927d7d

SHA256
e92260a9b984b4be47e9e437ed2acccc9100c738700bc0c3d9102be19fad77eb

SHA512
92a13d4be0cbf2e8df7853ebdad809aa5a5e2182879350e33cb9b48a7ca73f3d41dd943fc6f61c2b4b4adb3e2be112b961fe1caa68aeae479c65281754fdabbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FprSpread.exe

Filesize
714KB

MD5
921919d5097cff0a586da30c347e57a2

SHA1
ff3c1aeecf9e83c37d57875f0dd06505ae1d34b8

SHA256
acdeb9784ae992f1e9c783aac03a1cd2e4f6e4391a71a143613013be5cfb933d

SHA512
79987afc5885b29a8cdcbd5e999ea060217c42c33e2c3c2bb6e359b11d87e086e995a789756b609bedb3bbe42952a681c840f9d75adb1f8eb0f1a1678800416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\schlafi.exe

Filesize
653KB

MD5
5e0c940359a27d85994e6f3c49cbc8ed

SHA1
95bcc6f3c412335358b7d2aa2e314d3e448c612f

SHA256
69c121e3bb98144c3249b920a010e4cc1d642991e41928bb1bed0a36d055f803

SHA512
a0e5e0b232689e5578f4bc4e7de6af0811b6d6c9cb5cb55c486f7b567700ae471c43fdf313ade6272a0280d75e920f08dc7eafa95fd41620eb8506ad669d0685

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hd1c2ggn.1o2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1320-4028-0x000002BF65380000-0x000002BF653A2000-memory.dmp

Filesize
136KB

Download
memory/2248-5-0x00007FFA0D790000-0x00007FFA0D792000-memory.dmp

Filesize
8KB

Download
memory/2248-12-0x00007FF7931A0000-0x00007FF794AC5000-memory.dmp

Filesize
25.1MB

Download
memory/2248-7-0x00007FF7931A0000-0x00007FF794AC5000-memory.dmp

Filesize
25.1MB

Download
memory/2248-8-0x00007FFA0B850000-0x00007FFA0B852000-memory.dmp

Filesize
8KB

Download
memory/2248-1-0x00007FFA0D9D0000-0x00007FFA0D9D2000-memory.dmp

Filesize
8KB

Download
memory/2248-6-0x00007FFA0D7A0000-0x00007FFA0D7A2000-memory.dmp

Filesize
8KB

Download
memory/2248-9-0x00007FFA0B860000-0x00007FFA0B862000-memory.dmp

Filesize
8KB

Download
memory/2248-4-0x00007FFA0DA00000-0x00007FFA0DA02000-memory.dmp

Filesize
8KB

Download
memory/2248-3793-0x00007FF7931AF000-0x00007FF793B79000-memory.dmp

Filesize
9.8MB

Download
memory/2248-4024-0x00007FF7931A0000-0x00007FF794AC5000-memory.dmp

Filesize
25.1MB

Download
memory/2248-4049-0x00007FF7931A0000-0x00007FF794AC5000-memory.dmp

Filesize
25.1MB

Download
memory/2248-4048-0x00007FF7931AF000-0x00007FF793B79000-memory.dmp

Filesize
9.8MB

Download
memory/2248-2-0x00007FFA0D9E0000-0x00007FFA0D9E2000-memory.dmp

Filesize
8KB

Download
memory/2248-3-0x00007FFA0D9F0000-0x00007FFA0D9F2000-memory.dmp

Filesize
8KB

Download
memory/2248-0-0x00007FF7931AF000-0x00007FF793B79000-memory.dmp

Filesize
9.8MB

Download
memory/4292-70-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-42-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-76-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-74-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-73-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-80-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-68-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-66-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-62-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-60-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-58-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-56-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-54-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-52-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-50-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-46-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-44-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-78-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-40-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-38-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-36-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-32-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-48-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-34-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-31-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-4025-0x000001353D150000-0x000001353D1A6000-memory.dmp

Filesize
344KB

Download
memory/4292-4026-0x000001353E9E0000-0x000001353EA2C000-memory.dmp

Filesize
304KB

Download
memory/4292-4027-0x000001353EB80000-0x000001353EBD4000-memory.dmp

Filesize
336KB

Download
memory/4292-82-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-84-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-64-0x0000013557320000-0x0000013557425000-memory.dmp

Filesize
1.0MB

Download
memory/4292-30-0x0000013557320000-0x000001355742A000-memory.dmp

Filesize
1.0MB

Download
memory/4292-29-0x000001353CCF0000-0x000001353CDA6000-memory.dmp

Filesize
728KB

Download