7226d29a62bfc505a5cd9c8d13603237821caa5075bea311f095272334827e58

General

Target

2.ps1
Size

316KB
MD5

da2ba0198037e33b0d775ea03da6169e
SHA1

6f195cfa87f25ece7ac46c96db03ff05e057abdc
SHA256

7226d29a62bfc505a5cd9c8d13603237821caa5075bea311f095272334827e58
SHA512

96489864076cdd83acf860bb50f055f45f4530f31d9c4d147f3bbd42182e02001502588ff43ae74882cf99a7f65dc1dd749c8133225e5158bac5c7f699d59320

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

744 powershell.exe
744 powershell.exe
744 powershell.exe
1012 powershell.exe
848 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 744 powershell.exe
Token: SeDebugPrivilege 1012 powershell.exe
Token: SeDebugPrivilege 848 powershell.exe

pid	process
744	powershell.exe
744	powershell.exe
744	powershell.exe
1012	powershell.exe
848	powershell.exe

description	pid	process
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

powershell.exeWScript.execmd.exepowershell.exeWScript.execmd.exe

description	pid	process	target process
PID 744 wrote to memory of 1772	744	powershell.exe	WScript.exe
PID 744 wrote to memory of 1772	744	powershell.exe	WScript.exe
PID 744 wrote to memory of 1772	744	powershell.exe	WScript.exe
PID 1772 wrote to memory of 1148	1772	WScript.exe	cmd.exe
PID 1772 wrote to memory of 1148	1772	WScript.exe	cmd.exe
PID 1772 wrote to memory of 1148	1772	WScript.exe	cmd.exe
PID 1772 wrote to memory of 1148	1772	WScript.exe	cmd.exe
PID 1772 wrote to memory of 1148	1772	WScript.exe	cmd.exe
PID 1148 wrote to memory of 1012	1148	cmd.exe	powershell.exe
PID 1148 wrote to memory of 1012	1148	cmd.exe	powershell.exe
PID 1148 wrote to memory of 1012	1148	cmd.exe	powershell.exe
PID 1012 wrote to memory of 1728	1012	powershell.exe	WScript.exe
PID 1012 wrote to memory of 1728	1012	powershell.exe	WScript.exe
PID 1012 wrote to memory of 1728	1012	powershell.exe	WScript.exe
PID 1728 wrote to memory of 1648	1728	WScript.exe	cmd.exe
PID 1728 wrote to memory of 1648	1728	WScript.exe	cmd.exe
PID 1728 wrote to memory of 1648	1728	WScript.exe	cmd.exe
PID 1648 wrote to memory of 848	1648	cmd.exe	powershell.exe
PID 1648 wrote to memory of 848	1648	cmd.exe	powershell.exe
PID 1648 wrote to memory of 848	1648	cmd.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Device\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\Device\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\Device\install.ps1'"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Device\mail.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\Device\mail.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\Device\mail.ps1'"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Device\install.bat
MD5
6b6770811f4839130552c1fe48abe429

SHA1
95a6dcc6a5e2e4a63c26d559ee673ac0cbba0536

SHA256
c1c92e61404621723b765fa9f00830bbb499e3bf1a99625f3583516dfb86fe9f

SHA512
dcd6ea06f456fa7cbcdb9bdc2e247fa269d66640ebabb95e976d224e80c9b1e1c8ec6577767ce357098e15115fed7c1be38a4c34641efcde8101396076c37931

Download Submit
C:\ProgramData\Device\install.ps1
MD5
3b6eefe192069cff7489b2ae69c07afc

SHA1
31cd81c0db3eb8908771e26e8d45d7f23d201818

SHA256
f60e89cbc97d41c43979ab8481e60d18300acb5fa9b72a41a21d31ac91e9793d

SHA512
73d6575d6bcce7333561319a198216d175238f730721fdaa3e7af2f9a07d81e2340109029037201d63f3fbcb9bd2f9ce305302bf41000031ebf87cdb252fdeac

Download Submit
C:\ProgramData\Device\install.vbs
MD5
dab56582b5e0b82196fc56d5b5dc8036

SHA1
de592fcf648a5be35438c3f4b8508da8b3a95b09

SHA256
2ba0f1158bae09a5c42a523a1776616a3d8fb6ca9848d6b92b6ea9c071307f8e

SHA512
ffc0cabcac6c77a61728bbae5adf8d46407fc97be44301b0f3c86f158b20f79c65b56d46a4c9da9b6ada0771843e6da377e2dc3ae9c77a46ed287994af37c1bc

Download Submit
C:\ProgramData\Device\mail.bat
MD5
77517a39874a342619d6b9762aa22095

SHA1
561476803ef1b9fb997833c358fe67c49b9876b5

SHA256
6daa0b56a9bbf5a8ad954af2c4b447b5ac2750ed643706b469b73b3829a939a5

SHA512
cde749fbd1a9958b0fc4eed3ae15586c7a96da9ce0d7d047b705b4eec12526ab01649c91b607ebaf7964f1ef957bae80f706eff06c71c6bcab9d9c9b19ace24f

Download Submit
C:\ProgramData\Device\mail.ps1
MD5
43f35e68a99efe5854553e9a39ee798a

SHA1
f611bdb79daaff2ee4d45c6509d79cdaf1e59221

SHA256
7e626e1d08ba85447cff2698b42320fc760ffa30ff8da471b0ada40eba840710

SHA512
04a4630c5ba9588bd4dd9e94b8a1168b0eddf659319a5903f82161cb0aecf1ed4f251479f5196fe0d7dc61a5ceb5d05e586c3f1b23b215572904e3ab25898703

Download Submit
C:\ProgramData\Device\mail.vbs
MD5
9ccb5561d91a0790d6d026f6238c21f8

SHA1
4fc58d58533b4031dccd1a0f72f53d9ef19cd31b

SHA256
75e60ff2d313c016135691692a1279dded3699c22963faf47f573201a8db80ba

SHA512
37d32c9e279f9331dde98f2a9e986ab06c4a697b5ac86a10b77ab65e0db3f26e021372a49bd206df9e917863d225b2a6d499c0b8601190ce5a7367a7aae7a0c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
8f406ae04b6a121818c39d140904256e

SHA1
23139fe80ea4ca08353d1078882a57985a7de2f5

SHA256
bdb10885c465a7e6652968947b39f620b86550fc693fb13463a2814555712abe

SHA512
0db02ac2cfd182ae0169a8a1117e96c8e8970a1585719fb6f2022e56c056794c23ec01d99f52988bc7a0d26ca67d13213b3b6888d7ff992e6e3d2c6d4aab671c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d01587f4dd04590c5c56df08c821a86b

SHA1
0b38186598fea67bda8590ee79cc903a6c12d470

SHA256
b5ed3f069cf3f0972756e7e029775770f507417bfa042bc7e857ae1f348bc38e

SHA512
7e917fbc70a1dfbc775dfb7a926e7e900ac4502d3395aa1223528d98e2f9828e4d32f545362ce0228460de67e693d960763f80c8194704390539cee74be02003

Download Submit
memory/744-57-0x000007FEF34B0000-0x000007FEF400D000-memory.dmp

Filesize
11.4MB

Download
memory/744-60-0x000000000251B000-0x000000000253A000-memory.dmp

Filesize
124KB

Download
memory/744-55-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

Filesize
8KB

Download
memory/744-59-0x0000000002514000-0x0000000002517000-memory.dmp

Filesize
12KB

Download
memory/744-58-0x0000000002512000-0x0000000002514000-memory.dmp

Filesize
8KB

Download
memory/744-56-0x0000000002510000-0x0000000002512000-memory.dmp

Filesize
8KB

Download
memory/848-83-0x000000000245B000-0x000000000247A000-memory.dmp

Filesize
124KB

Download
memory/848-81-0x0000000002454000-0x0000000002457000-memory.dmp

Filesize
12KB

Download
memory/848-80-0x0000000002452000-0x0000000002454000-memory.dmp

Filesize
8KB

Download
memory/848-77-0x000007FEF2B10000-0x000007FEF366D000-memory.dmp

Filesize
11.4MB

Download
memory/848-79-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/1012-70-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/1012-78-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/1012-67-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1012-68-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/1012-69-0x0000000002872000-0x0000000002874000-memory.dmp

Filesize
8KB

Download
memory/1012-66-0x000007FEF2B10000-0x000007FEF366D000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing