Analysis

  • max time kernel
    129s
  • max time network
    138s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/07/2025, 06:52

General

  • Target

    Eksportindustrien.ps1

  • Size

    54KB

  • MD5

    e9e3dfcb65a6f62522714916d1ccd491

  • SHA1

    09319cafa05d6f9fb66e11c6ac3c41046b28e9e0

  • SHA256

    7beab23f05657b7b773b6e6facccfcc81bdde6bbc7a23c435b4a5b8e94674e2e

  • SHA512

    df3999ee5e66db05047989d1c50546bf256bab29bf850985bf89de3aef9b7a3445c7ac1db199a8b22e6b347f0db6e2fc813770b67c14dcc8d12ef4e72332f055

  • SSDEEP

    1536:TK2MNrH82wxdRFew8ACyLqzkK26AgV4VDBs:OfNBwBI9ACyLqYeZKs

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Eksportindustrien.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3516
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4692
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3388
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4948

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\89X10YFG\www.bing[1].xml

          Filesize

          15KB

          MD5

          58a7a2c960cdb7cd77e9644ba568a847

          SHA1

          320f9b33436267c9768675f78ec2526a24cce0f3

          SHA256

          dab0356a51e17d8e1f54b2fd36605eb2685924089ad493a1ce57fef6b80f6b8a

          SHA512

          50e75e1f9a737f20f065a7e515ed17c8a0b724df35d94fed41ec3eddfcd3a7859b45c9d404fc4d4359c91429c4d90c5a3713ed26e79a4e4506636bca6af30cbb

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mvz0mn3v.tmb.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • memory/3388-32-0x000001842D440000-0x000001842D540000-memory.dmp

          Filesize

          1024KB

        • memory/3388-75-0x0000018C52050000-0x0000018C52070000-memory.dmp

          Filesize

          128KB

        • memory/3388-64-0x0000018C41500000-0x0000018C41600000-memory.dmp

          Filesize

          1024KB

        • memory/3388-65-0x0000018C522C0000-0x0000018C522E0000-memory.dmp

          Filesize

          128KB

        • memory/3388-66-0x0000018C52150000-0x0000018C52250000-memory.dmp

          Filesize

          1024KB

        • memory/3516-11-0x000001DA1D410000-0x000001DA1D420000-memory.dmp

          Filesize

          64KB

        • memory/3516-16-0x000001DA1D410000-0x000001DA1D420000-memory.dmp

          Filesize

          64KB

        • memory/3516-17-0x000001DA1D400000-0x000001DA1D402000-memory.dmp

          Filesize

          8KB

        • memory/3516-14-0x000001DA1D460000-0x000001DA1D484000-memory.dmp

          Filesize

          144KB

        • memory/3516-13-0x000001DA1D460000-0x000001DA1D48A000-memory.dmp

          Filesize

          168KB

        • memory/3516-12-0x000001DA1D410000-0x000001DA1D420000-memory.dmp

          Filesize

          64KB

        • memory/3516-0-0x000001DA1D410000-0x000001DA1D420000-memory.dmp

          Filesize

          64KB

        • memory/3516-4-0x000001DA1D3B0000-0x000001DA1D3D2000-memory.dmp

          Filesize

          136KB

        • memory/3516-1-0x000001DA1D410000-0x000001DA1D420000-memory.dmp

          Filesize

          64KB