03dd22c542d2555bf0650df2434079d314e5d311762d778b612f03327b2058e8

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03dd22c542d2555bf0650df2434079d314e5d311762d778b612f03327b2058e8.ps1
Size

5.1MB
MD5

ee48f5cc6e8e953361db80dcf1c30445
SHA1

c400de9be89e17b57532ec003e404941f95e358b
SHA256

03dd22c542d2555bf0650df2434079d314e5d311762d778b612f03327b2058e8
SHA512

47bc33530d37dfcca2169257afe4a743823dec4d096373063f6279f3989af08759b43f83c567a13f5658ac58c9d924a26439dffb8cec63130190324741dc68fe

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1888 powershell.exe
1888 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1952 explorer.exe

pid	process
1888	powershell.exe
1888	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exevssvc.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeBackupPrivilege	996	vssvc.exe
Token: SeRestorePrivilege	996	vssvc.exe
Token: SeAuditPrivilege	996	vssvc.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe
Token: SeShutdownPrivilege	1952	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

explorer.exe

pid	process
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe
1952	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.execsc.execsc.exe

description	pid	process	target process
PID 1888 wrote to memory of 892	1888	powershell.exe	csc.exe
PID 1888 wrote to memory of 892	1888	powershell.exe	csc.exe
PID 1888 wrote to memory of 892	1888	powershell.exe	csc.exe
PID 892 wrote to memory of 1500	892	csc.exe	cvtres.exe
PID 892 wrote to memory of 1500	892	csc.exe	cvtres.exe
PID 892 wrote to memory of 1500	892	csc.exe	cvtres.exe
PID 1888 wrote to memory of 1828	1888	powershell.exe	csc.exe
PID 1888 wrote to memory of 1828	1888	powershell.exe	csc.exe
PID 1888 wrote to memory of 1828	1888	powershell.exe	csc.exe
PID 1828 wrote to memory of 1752	1828	csc.exe	cvtres.exe
PID 1828 wrote to memory of 1752	1828	csc.exe	cvtres.exe
PID 1828 wrote to memory of 1752	1828	csc.exe	cvtres.exe
PID 1888 wrote to memory of 1360	1888	powershell.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\03dd22c542d2555bf0650df2434079d314e5d311762d778b612f03327b2058e8.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwwsacc0.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB55C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB54B.tmp"
4⤵
PID:1500

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0dqoooqs.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB655.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB654.tmp"
4⤵
PID:1752

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:996

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0dqoooqs.dll
MD5
c3ec3f931ba6ad6d5169396a0038b658

SHA1
ffe37b47c0b5cdea4a2da127059d23bc9a16aa55

SHA256
e7ee006e6b914b8b0ff0ea0d8d9553a8e7cbee6c5544ae39e2487c4f927646a8

SHA512
2dc75bd6c0b5b3f9600bb968cafb6ab88a6916e39a4de17d6ab38765ca4979dfa05156bdf6477b2ef0de8145988ff0bfb97524bdb91e24c50c7b3831e0a83954

Download Submit
C:\Users\Admin\AppData\Local\Temp\0dqoooqs.pdb
MD5
a99753ff1db5c02ab44e9aef1d018111

SHA1
62e6594a3ace11b9e7432da10bdb5e5635a718b7

SHA256
e72515086831d585b852b12905f8ab4e12361e5ee534268e4806de7ca92a7395

SHA512
b6b04eacafea0200241093ab36222fd6e1af93579eb300e7ad5e7449cb2e6c2df4cc6404117b487e857b5ba81ac54f8f97c4dacf8b6cd640f6a3f011d1109ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB55C.tmp
MD5
7fe7acc64c5645f9a7e0534308c6bcc7

SHA1
e9e4593976ebc0d5244959212ab338616152f7ad

SHA256
7dc9784ae6065fe79dc563821fa6e2e802ee4a2292c54e65e47aeb627980a0d3

SHA512
c8b57ac0e65e506da6495c68b1ff3ca0b30202feaf84438a4af37369f8831579562b02ea1a69f3e9e30c9a6351c7d145b32ad4243edebfce2a3d7cc93a7fd1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB655.tmp
MD5
b963e0a2a418174f18157fe8a5f0624e

SHA1
50901e885c290164ad7e9c4fa0d823abbfc34331

SHA256
273672bd413e34b8a2f713994c059a0ae90413f142ba2d92c84c03d1617eca8c

SHA512
f4eb7180874812dcd04f9919a7e56c93a185c052dc13c0cdfaf70bd9e8ab03d9a70119eb3d3deefcc8e6caee94b38be24bc659271e93432d3f230cbec5c5ad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwwsacc0.dll
MD5
db383946ac92bb77292c2e263b93d390

SHA1
1d63f5e381b7b2a9d33d7a0953699c29a37bfd04

SHA256
1b7c9a5695608c1d2f35ecae464fa143f1dfbfdd64e2a9076031ece5cdc919ad

SHA512
e52a8555f7a79ad166a3494bcd278e97467190024640c15dc3842008b3fcb02fad54e2863dd72f3a6b5586024f3f6f200a9b0b453f5e29666b1b168eb2c4cbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwwsacc0.pdb
MD5
af336b9115bdc57ce024e8116150064a

SHA1
c651fd4d67c750d33795e121913c4dee13bb0618

SHA256
0e266711d9702dd2e3fc026104ae5e1f347f55790ffbeb2468ee805363e14557

SHA512
8b3c2e2018bb2dfbf2ac54d60119518eff8bbd94bda5e85498ecf9612d6fc7c802fd1fe812694cc59c3ba74327f1a6e4dd7cf34112904ada538f4467a79b404e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0dqoooqs.0.cs
MD5
ed9cfd99d64d4145f95494e644387917

SHA1
b1aabfa9b9e8723ce97429c4716c872e83f4f27b

SHA256
7e0a1c0195e236ff415d7855a4a63c92128da1c2072c5b31176709d61f8b3ae2

SHA512
55acabe1038c18f637a19081f61946e60bb053ff1e98ab5c2dada90e7440443cc76145268a9ef01710f548cda2a61581948218e674bc9a566b43f31e914b29ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0dqoooqs.cmdline
MD5
2411a8ec266dd697aae1b4adb107fc66

SHA1
65b210c0839454bf5e855bb78218e033d5f913b8

SHA256
c20fe82e8d3b108e595381ec6b54e3b94d7c2f49e63508c997d647d0a89ed0b6

SHA512
fa9e6acb713d720301f029203d10de2f726d5498f5818f1af82c62effd9fdd2e1117837b0372649b4f17b58a8e43f19ab357b4d9560e2dccefd9be4bee8244a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB54B.tmp
MD5
6d397ba3da46118ca630e767d5d451df

SHA1
a3d75a1189fe0ad5403c958fe1b5566770e00a31

SHA256
224412a2b66ab44cc1272a9c54221193acf355dda01a40697063b516dfa75e5f

SHA512
d24b3305eee6b585cc51137cf0e5e7c6bcf9b1b709cffe92ea0498760f14869649b6d38ac076fe753bdd675ce8c13d3c9256744312021f7c6a5cf1f7e533fde1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB654.tmp
MD5
5606a4d25c55339f68d3762f34957147

SHA1
e3419246261e1ac367ad5e408f0467705afdc483

SHA256
4ad19f112250a8339f6e29c0b3b249b22ea8f985c03435eaf975fb6a455bfaba

SHA512
9e2337d455f4621ca24a208bf2f06b17b367768ade17f6a25daa099873c6367b87a5047a3d6ac5f258ab41bca6144f7f2e20a48bc5d56a69f1872d0d97e0b535

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwwsacc0.0.cs
MD5
180af0be87527cb58da22854cf83e457

SHA1
38da4b3f799109c64e39620c1f7254a75bcecbaf

SHA256
442963575807f914403c44d8df40be923d106e6c779c2fb89710bf414a918179

SHA512
bbb6be622759b847a96a7f73a3f228de4608035e459270009652f8aa09dad5007a062314b33bbcc5621e6a847c187c8c1702a0c47e8d0428afbd856cd7ad85fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xwwsacc0.cmdline
MD5
8b57e2db5252f188a8561b8a697360f4

SHA1
b09ec11e1d36946598a184435163757a4b287c54

SHA256
42f3a92ce78ab6170066e76cae2c35ed5e5c0b72f1bd67dc08cf3a86fabf15f4

SHA512
f80b69c7b1330d3cbbb6347b69371d6758d190d1fabea45e757ecfe0b5079b99d859d9fb998164e602297b3d66b0bf1a985aa3afd7e823979a1f729dad3502c3

Download Submit
memory/892-62-0x00000000022B0000-0x00000000022B2000-memory.dmp

Filesize
8KB

Download
memory/1360-80-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/1360-81-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/1888-59-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1888-55-0x000007FEF2830000-0x000007FEF338D000-memory.dmp

Filesize
11.4MB

Download
memory/1888-54-0x000007FEFB711000-0x000007FEFB713000-memory.dmp

Filesize
8KB

Download
memory/1888-58-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1888-57-0x0000000002412000-0x0000000002414000-memory.dmp

Filesize
8KB

Download
memory/1888-56-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads