89360a01c95a9aee2ea2af6fe15693baefabe2d31beb3c43fcbc390d73c3bee5

General

Target

Renommxterne.exe
Size

989KB
MD5

2412cbbed6081fd40494028b7ff5e791
SHA1

0f404ae35ee0193e07a6cc26391f7560ec103ab9
SHA256

89360a01c95a9aee2ea2af6fe15693baefabe2d31beb3c43fcbc390d73c3bee5
SHA512

03ea2096fa8c34f668c301549d6dd7152e24e8d50b9cf5fca63452eecf720bac0e084ddc56a28cf558b2da32c3e5cb7cc036e06eb9735c4a443a7ffe75aeb055
SSDEEP

24576:K+63kmIlyh9fgMAC7Nr8xAGuwIm/yWiopvC9wi:K+TOflm/RaWi6Mwi

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1664	powershell.exe
2760	powershell.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Hemicrane.ini	Renommxterne.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\resources\0409\syntonolydian\statsminister.lnk	Renommxterne.exe
File opened for modification	C:\Windows\resources\0409\federalt\Telephonists230.Ube	Renommxterne.exe
File opened for modification	C:\Windows\resources\snagline.sub	Renommxterne.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Renommxterne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	powershell.exe
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1664	976	Renommxterne.exe	31
PID 976 wrote to memory of 1664	976	Renommxterne.exe	31
PID 976 wrote to memory of 1664	976	Renommxterne.exe	31
PID 976 wrote to memory of 1664	976	Renommxterne.exe	31
PID 976 wrote to memory of 2760	976	Renommxterne.exe	33
PID 976 wrote to memory of 2760	976	Renommxterne.exe	33
PID 976 wrote to memory of 2760	976	Renommxterne.exe	33
PID 976 wrote to memory of 2760	976	Renommxterne.exe	33

C:\Users\Admin\AppData\Local\Temp\Renommxterne.exe
"C:\Users\Admin\AppData\Local\Temp\Renommxterne.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Parthenocissus=Get-Content -raw 'C:\Users\Admin\AppData\Local\fona\Kvit\Snurre.Cha';$Bekendelsesskriftets=$Parthenocissus.SubString(2518,3);.$Bekendelsesskriftets($Parthenocissus)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden "$Parthenocissus=Get-Content -raw 'C:\Users\Admin\AppData\Local\fona\Kvit\Snurre.Cha';$Bekendelsesskriftets=$Parthenocissus.SubString(2518,3);.$Bekendelsesskriftets($Parthenocissus)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\depoh.lnk

Filesize
878B

MD5
480653bd90f7a300459f435905c63070

SHA1
da6cc6e869aa969eae62e84132ef7d441d84ba38

SHA256
d764f0c633a58b082f98810a2761d611654ba64d12f112ea9ff0d5d65c8e4288

SHA512
bdd811685575cfc464e9e413330e11c8bf6a6c904e9ca56be65862a3d7bf64f849838d1f0186e5dc4a5e81a7b25b0e08cbd77ded38869f551ab3efd2d7ec3a81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\depoh.lnk

Filesize
852B

MD5
bcb8d9637eed93bd5fe96bb07b98624b

SHA1
0ab83c93220a05ce17ff398b1a7122087aff34d8

SHA256
0734683332a12abae00eec905f8faa3f199e825907f730654b12e4758675dddc

SHA512
cfc226e3567c80988413dd367f1b052b8f48a19f64b4fd3a7a80860bd11b779037080a53e8f008e20cb9b1afa63a17cbf60e98cdc29ec7fbf872b1a5209dbb30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M8HP6AYSM8VKCO4Y13K9.temp

Filesize
7KB

MD5
868719d9757d80337288a1df0920a32f

SHA1
9f4139e16236cafa26aff2d7b95515c68edb2fbe

SHA256
b3e9c94b028b2bf80d3b0524c0d181de51a10172620fa41d44c18b267ecbf940

SHA512
83be904f84398727501dbb20f2368a827e1aac935311c627ba281a7205b54c6c6939b14459c5111fdc36812b020af4776f2000a4ddcf0ca91050fff1e45fb54d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ba016f42af2c96e9bf5f50c0075dc893

SHA1
f5d284028447928afe077496f5c627ab7362f099

SHA256
472d1fd0696cb117e9783b1ae593a5015bcf1e98b7e45036fcf061b821713496

SHA512
a58bcafa114add65bf621c3760b9aae3e8499e2cdc8d9b35d7390d6d929c8e4cdc1910c088bc7953a15fb82cff2df595f281fc080be7886fa16c87c7f0dabb4a

Download Submit
memory/1664-182-0x0000000074551000-0x0000000074552000-memory.dmp

Filesize
4KB

Download
memory/1664-183-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-184-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-185-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-186-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1664-187-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing