Analysis

  • max time kernel
    129s
  • max time network
    138s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/07/2025, 06:52

General

  • Target

    Eksportindustrien.ps1

  • Size

    54KB

  • MD5

    e9e3dfcb65a6f62522714916d1ccd491

  • SHA1

    09319cafa05d6f9fb66e11c6ac3c41046b28e9e0

  • SHA256

    7beab23f05657b7b773b6e6facccfcc81bdde6bbc7a23c435b4a5b8e94674e2e

  • SHA512

    df3999ee5e66db05047989d1c50546bf256bab29bf850985bf89de3aef9b7a3445c7ac1db199a8b22e6b347f0db6e2fc813770b67c14dcc8d12ef4e72332f055

  • SSDEEP

    1536:TK2MNrH82wxdRFew8ACyLqzkK26AgV4VDBs:OfNBwBI9ACyLqYeZKs

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Eksportindustrien.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:228
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:5844
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1100
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5956

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\89X10YFG\www.bing[1].xml

          Filesize

          15KB

          MD5

          5f87b76501c29f1d81e795ac38664940

          SHA1

          de9f6690730b847cba7878d8a98abdb9719c6a53

          SHA256

          fbe3745db77d53dab826df465cd309dd1da6719e4cee20d86a8bd2bef87bd35d

          SHA512

          aaa8c903bbffb4578268e53ab24305896b5e3624548302cb1a7ef73a1c407716c7227dd15a330ad402b68c4bf4ea3916b5808c2296e2e81abc5812556a66c7ab

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01rvcnmg.vuw.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • memory/228-16-0x000001D3F01B0000-0x000001D3F01C0000-memory.dmp

          Filesize

          64KB

        • memory/228-17-0x000001D3F0310000-0x000001D3F0312000-memory.dmp

          Filesize

          8KB

        • memory/228-11-0x000001D3F01B0000-0x000001D3F01C0000-memory.dmp

          Filesize

          64KB

        • memory/228-12-0x000001D3F01B0000-0x000001D3F01C0000-memory.dmp

          Filesize

          64KB

        • memory/228-13-0x000001D3F0690000-0x000001D3F06BA000-memory.dmp

          Filesize

          168KB

        • memory/228-14-0x000001D3F0690000-0x000001D3F06B4000-memory.dmp

          Filesize

          144KB

        • memory/228-0-0x000001D3F01B0000-0x000001D3F01C0000-memory.dmp

          Filesize

          64KB

        • memory/228-10-0x000001D3F0270000-0x000001D3F0292000-memory.dmp

          Filesize

          136KB

        • memory/228-1-0x000001D3F01B0000-0x000001D3F01C0000-memory.dmp

          Filesize

          64KB

        • memory/5956-32-0x00000272F0F00000-0x00000272F1000000-memory.dmp

          Filesize

          1024KB

        • memory/5956-72-0x0000027AF5800000-0x0000027AF5900000-memory.dmp

          Filesize

          1024KB

        • memory/5956-74-0x0000027AF5800000-0x0000027AF5900000-memory.dmp

          Filesize

          1024KB

        • memory/5956-73-0x0000027AF5980000-0x0000027AF59A0000-memory.dmp

          Filesize

          128KB

        • memory/5956-75-0x0000027AF6150000-0x0000027AF6170000-memory.dmp

          Filesize

          128KB

        • memory/5956-33-0x00000272F0F00000-0x00000272F1000000-memory.dmp

          Filesize

          1024KB