7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10

General

Target

7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe
Size

530KB
MD5

7d411a34136e88e95d155a5cad1fdb5a
SHA1

9873390cb988aa07add91730944d717f4df32c68
SHA256

7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10
SHA512

3371b0fb4cd0332d3476f7083735552620179788091444c8f4cb17a03ee298b803d826ffa4b2383cbddf4b75a20570cc377210e427734e5c60b9c63ea686c8c6
SSDEEP

12288:W3dPSj0k1KImtsjw/oB/Y6kjjWgTg27K57ZszDXTVBC5/q:W3ddWjcofTg82Es3TzC5i

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3028	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3028	powershell.exe
2924	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 2924	3028	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2828	2924	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3028	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3028	2508	7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe	30
PID 2508 wrote to memory of 3028	2508	7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe	30
PID 2508 wrote to memory of 3028	2508	7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe	30
PID 2508 wrote to memory of 3028	2508	7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe	30
PID 3028 wrote to memory of 2924	3028	powershell.exe	34
PID 3028 wrote to memory of 2924	3028	powershell.exe	34
PID 3028 wrote to memory of 2924	3028	powershell.exe	34
PID 3028 wrote to memory of 2924	3028	powershell.exe	34
PID 3028 wrote to memory of 2924	3028	powershell.exe	34
PID 3028 wrote to memory of 2924	3028	powershell.exe	34
PID 2924 wrote to memory of 2828	2924	wab.exe	35
PID 2924 wrote to memory of 2828	2924	wab.exe	35
PID 2924 wrote to memory of 2828	2924	wab.exe	35
PID 2924 wrote to memory of 2828	2924	wab.exe	35

C:\Users\Admin\AppData\Local\Temp\7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe
"C:\Users\Admin\AppData\Local\Temp\7d658e7d4fdce9ab237617fd28b784e73110be0bf9cfdeeabab1e897b9ae2c10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Beflyvningens=Get-Content 'C:\Users\Admin\AppData\Local\Detenterne\Clistothecium.Kub';$stvningsvarslers=$Beflyvningens.SubString(52071,3);.$stvningsvarslers($Beflyvningens)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 124
      4⤵
      Program crash
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Detenterne\Clistothecium.Kub

Filesize
50KB

MD5
8a011580eb615d1188d53d7172459e29

SHA1
48e8d6b6c7c3aa9bb0fd9b1f4e063a169da7aa23

SHA256
fe0001d86026df15c1bd60689fe8b35bf9e0871a3aa3423d93643fb6ce02e133

SHA512
27085bddd4d1d9fcc0116b9ab1846628174c29d40191b9f884ff32f3a39cc8343f0e18796cfe842a06b56bae82191cbb096c3de13b142d21abb8cc5bf84f2aea

Download Submit
C:\Users\Admin\AppData\Local\Detenterne\Udsprngende.Fig

Filesize
338KB

MD5
0fa308be797fbe19198d485c4046a917

SHA1
5b8073846e431505cfcff5b43ac5e8e32aeaf7bb

SHA256
14e6ef457f06dc8ca9913a3dcf53eb761e6188ac6e2b37bd83804805e663a186

SHA512
378702b2f27bb1055028521598c0d74d841ff9ed00c058807edf8daae2d39e3481bd46966d8fd7f4b00befc17c9360a68eb152161f39ab0d612442f14801c4bd

Download Submit
memory/2924-17-0x0000000000350000-0x00000000013B2000-memory.dmp

Filesize
16.4MB

Download
memory/3028-8-0x0000000073C31000-0x0000000073C32000-memory.dmp

Filesize
4KB

Download
memory/3028-10-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-9-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-12-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-14-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download
memory/3028-15-0x00000000065B0000-0x000000000BBB3000-memory.dmp

Filesize
86.0MB

Download
memory/3028-16-0x0000000073C30000-0x00000000741DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing