Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:31
Static task
static1
Behavioral task
behavioral1
Sample
153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/BgImage.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/BgImage.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
General
-
Target
153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe
-
Size
627KB
-
MD5
342d7b2b1f3bf1be39496effcdd9ffd8
-
SHA1
c6f94540d29b679e3e57d4e0c8e9b4f356682f43
-
SHA256
153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536
-
SHA512
a939ff45f6d4b3c5fa4d0be54cbbc764ccb58b97553334293dc5ae16928def5ebae4816adff294ad0da831fc9b549aba6af4af2bcd2b99225b34a29423efd556
-
SSDEEP
12288:5rRo7TKXllTf+RbKDhsm1oDlOW5cJphWiJ1kIS+BrA:JC7TKXlFf62DhoDlO+gphZJmIS+hA
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 236 153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Brachyprism255 = "%Hydragog% -windowstyle minimized $Irreproductive=(Get-ItemProperty -Path 'HKCU:\\Brefrekvensernes\\').Orthogonalize;%Hydragog% ($Irreproductive)" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3060 powershell.exe 2892 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3060 set thread context of 2892 3060 powershell.exe 34 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Detrainment90\strenuosity.pot 153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe -
pid Process 3060 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wab.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2392 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3060 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 236 wrote to memory of 3060 236 153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe 30 PID 236 wrote to memory of 3060 236 153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe 30 PID 236 wrote to memory of 3060 236 153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe 30 PID 236 wrote to memory of 3060 236 153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe 30 PID 3060 wrote to memory of 2892 3060 powershell.exe 34 PID 3060 wrote to memory of 2892 3060 powershell.exe 34 PID 3060 wrote to memory of 2892 3060 powershell.exe 34 PID 3060 wrote to memory of 2892 3060 powershell.exe 34 PID 3060 wrote to memory of 2892 3060 powershell.exe 34 PID 3060 wrote to memory of 2892 3060 powershell.exe 34 PID 2892 wrote to memory of 2624 2892 wab.exe 35 PID 2892 wrote to memory of 2624 2892 wab.exe 35 PID 2892 wrote to memory of 2624 2892 wab.exe 35 PID 2892 wrote to memory of 2624 2892 wab.exe 35 PID 2624 wrote to memory of 2392 2624 cmd.exe 37 PID 2624 wrote to memory of 2392 2624 cmd.exe 37 PID 2624 wrote to memory of 2392 2624 cmd.exe 37 PID 2624 wrote to memory of 2392 2624 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe"C:\Users\Admin\AppData\Local\Temp\153c188cd936975cbc916b08b0b6d3d32d526e3e126f0843877bf3a44389d536.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized " $Tarsernes=Get-Content 'C:\Users\Admin\AppData\Local\Vandskellenes\Tramp\drejebnksvrktjets\Bulmes.Kol32';$Unlaced=$Tarsernes.SubString(6710,3);.$Unlaced($Tarsernes)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Brachyprism255" /t REG_EXPAND_SZ /d "%Hydragog% -windowstyle minimized $Irreproductive=(Get-ItemProperty -Path 'HKCU:\Brefrekvensernes\').Orthogonalize;%Hydragog% ($Irreproductive)"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Brachyprism255" /t REG_EXPAND_SZ /d "%Hydragog% -windowstyle minimized $Irreproductive=(Get-ItemProperty -Path 'HKCU:\Brefrekvensernes\').Orthogonalize;%Hydragog% ($Irreproductive)"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2392
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
362KB
MD5b3150777f2b9ccbb21078b4d4bb8a0de
SHA11f1a12a669e39676304b3b6c0973a4ed37a08c63
SHA2561df56a2ce22679859461d6482b3825e5eb76b131ee92a5251db6770305f3c544
SHA5122e77dc5917fece50b1480f18e01a3e76e1378b33fa51b53890bdb2449c1cbf13e02577a84fb232aa5972616f630e0c7f62a698eb6fc1277d1a6182e3eab7b6b1
-
Filesize
52KB
MD590341d474017dc14627004bc73bbd211
SHA1e3e8c43d0406c96d2e55782c480fa93e85cb3884
SHA256af1a6315e00b71ebf549faf7182f9185ea4bdbcf936afbbc047760ad250ab2a3
SHA512a93a25f68c822e3b9f150908945ed1136762974c8c0b4a6145c9d6bea138e3d67ec89422fe5f91c92355fda59d721d5c277dacaad4434a2b642477e2af1228d8
-
Filesize
9KB
MD5eb2c74e05b30b29887b3219f4ea3fdab
SHA191173d46b34e7bae57acabdbd239111b5bcc4d9e
SHA256d253ca5aba34b925796777893f114cc741b015af7868022ab1db2341288c55ed
SHA5121bb035260223ec585170f891c2624b9ae98671f225e74b913b40bb77b66e3b9c2016037bc8e4b0ae16367d82590a60a0a3bd95d05139ea2454f02020d1b54dae