Analysis

  • max time kernel
    132s
  • max time network
    136s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/07/2025, 06:53

General

  • Target

    Eksportindustrien.ps1

  • Size

    54KB

  • MD5

    e9e3dfcb65a6f62522714916d1ccd491

  • SHA1

    09319cafa05d6f9fb66e11c6ac3c41046b28e9e0

  • SHA256

    7beab23f05657b7b773b6e6facccfcc81bdde6bbc7a23c435b4a5b8e94674e2e

  • SHA512

    df3999ee5e66db05047989d1c50546bf256bab29bf850985bf89de3aef9b7a3445c7ac1db199a8b22e6b347f0db6e2fc813770b67c14dcc8d12ef4e72332f055

  • SSDEEP

    1536:TK2MNrH82wxdRFew8ACyLqzkK26AgV4VDBs:OfNBwBI9ACyLqYeZKs

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Eksportindustrien.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:5564
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:5100
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4700
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:916

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\US42WIUG\www.bing[1].xml

          Filesize

          328B

          MD5

          3ea63ca9c774a4b9476b85a61226b982

          SHA1

          15ea2c43fadb12a7009542e66b6a0fcf635d67e1

          SHA256

          c1e206b8b199fb6c7ca1a145ed65d5a95d8ad44cfd7aeda33630400d119e12ea

          SHA512

          0fed7e1c400b1046e0bcc89e7ca74fd8416efe6b2bb172edccbfe8f6b90598805baa2f6492cedfc64e6ff44addff2d60fb66cfa90e97bd02c0dad78b1ac3b171

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\US42WIUG\www.bing[1].xml

          Filesize

          15KB

          MD5

          42d9463fee02154729c51009900afe46

          SHA1

          2a2f02d6b5aeb06aef160fb063f3f5f5284ea8d5

          SHA256

          7839267d4e5f9f6900f4475cd9ca7ebdadd20f9b7845b7c115f3752678e98102

          SHA512

          a4c0c62618f1e612909a267d694fec804767d4ed2e3d0a0c9a69423f41ae59f9ec83d9ab784a9cb69948c1e2d6b52ceb4e0f53f42bb4e47fc60c016368b2f74d

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_milc1dc1.tp0.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • memory/916-75-0x0000028CF27D0000-0x0000028CF27F0000-memory.dmp

          Filesize

          128KB

        • memory/916-77-0x0000028CF24F0000-0x0000028CF2510000-memory.dmp

          Filesize

          128KB

        • memory/916-76-0x0000028CDF260000-0x0000028CDF360000-memory.dmp

          Filesize

          1024KB

        • memory/5564-13-0x0000025358330000-0x000002535835A000-memory.dmp

          Filesize

          168KB

        • memory/5564-14-0x0000025358330000-0x0000025358354000-memory.dmp

          Filesize

          144KB

        • memory/5564-16-0x00000253583C0000-0x00000253583D0000-memory.dmp

          Filesize

          64KB

        • memory/5564-17-0x0000025358360000-0x0000025358362000-memory.dmp

          Filesize

          8KB

        • memory/5564-0-0x00000253583C0000-0x00000253583D0000-memory.dmp

          Filesize

          64KB

        • memory/5564-12-0x00000253583C0000-0x00000253583D0000-memory.dmp

          Filesize

          64KB

        • memory/5564-11-0x00000253583C0000-0x00000253583D0000-memory.dmp

          Filesize

          64KB

        • memory/5564-2-0x000002533FD00000-0x000002533FD22000-memory.dmp

          Filesize

          136KB

        • memory/5564-1-0x00000253583C0000-0x00000253583D0000-memory.dmp

          Filesize

          64KB