129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d.ps1
Size

5.1MB
MD5

25c0fde038e01fe84fd3df69c99e60a1
SHA1

147c1adc615daa93e84a5a9210ccc14ae86f6c55
SHA256

129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d
SHA512

8d666575c6570f5b128faf30d30f506259eda1907829bcf449c2407ea3aa943de46933bb3822b5fcddb25648ad8cc6f4d2077b29e82cdb4a6f423a5e1acc9fae

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1088 powershell.exe
1088 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1804 explorer.exe

pid	process
1088	powershell.exe
1088	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeexplorer.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeShutdownPrivilege	1804	explorer.exe
Token: SeShutdownPrivilege	1804	explorer.exe
Token: SeShutdownPrivilege	1804	explorer.exe
Token: SeShutdownPrivilege	1804	explorer.exe
Token: SeShutdownPrivilege	1804	explorer.exe
Token: SeShutdownPrivilege	1804	explorer.exe
Token: SeShutdownPrivilege	1804	explorer.exe
Token: SeBackupPrivilege	368	vssvc.exe
Token: SeRestorePrivilege	368	vssvc.exe
Token: SeAuditPrivilege	368	vssvc.exe
Token: SeShutdownPrivilege	1804	explorer.exe
Token: SeShutdownPrivilege	1804	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

explorer.exe

pid	process
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe
1804	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.execsc.execsc.exe

description	pid	process	target process
PID 1088 wrote to memory of 764	1088	powershell.exe	csc.exe
PID 1088 wrote to memory of 764	1088	powershell.exe	csc.exe
PID 1088 wrote to memory of 764	1088	powershell.exe	csc.exe
PID 764 wrote to memory of 580	764	csc.exe	cvtres.exe
PID 764 wrote to memory of 580	764	csc.exe	cvtres.exe
PID 764 wrote to memory of 580	764	csc.exe	cvtres.exe
PID 1088 wrote to memory of 1492	1088	powershell.exe	csc.exe
PID 1088 wrote to memory of 1492	1088	powershell.exe	csc.exe
PID 1088 wrote to memory of 1492	1088	powershell.exe	csc.exe
PID 1492 wrote to memory of 1480	1492	csc.exe	cvtres.exe
PID 1492 wrote to memory of 1480	1492	csc.exe	cvtres.exe
PID 1492 wrote to memory of 1480	1492	csc.exe	cvtres.exe
PID 1088 wrote to memory of 1248	1088	powershell.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zejl2rxy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8538.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8527.tmp"
      4⤵
      PID:580
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qzhndn6i.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8805.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8804.tmp"
      4⤵
      PID:1480

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8538.tmp

MD5
51da71db6de53a6e64788ef8c12b8874

SHA1
0859a191d60e48ce9a582072d5202086832e6eca

SHA256
52db65da2703215ba25afccc061ad8ef111749f73091bd127102d446974b6aae

SHA512
54196b1471e13d8e6797216ef81903a579e74947ee7e0aaa4f08c35f0d561eb7222fd96d4f109da4641ba84c839ff0b9625accb5dba3ef55709d9572d0aba740

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8805.tmp

MD5
ea9a31091e7205bca99bec1f4d8e4568

SHA1
547b67bc993b19ae24e2be7e6509370979da18dc

SHA256
cf314cb78f15b29da2b0b72de29046c3f6d02af5448c449c6aecd944cbf28603

SHA512
d0985f28225d361596c1a6ce9247c7b3e23ac326ec55206590915cd9cd8451621ca7f61e2f48f40297f8b87e23fc1278eb3ff52170f408fbb9a0444612d53b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzhndn6i.dll

MD5
3b22c0549fd1191221b498d2d8541662

SHA1
ab27103b157c16b43806a4b6d5f9845c246a8309

SHA256
94efee42596b0dce7038306245aeb7c3c6a2a3149d5332696d8dee6dcfac2152

SHA512
378c15dc264e45ba8f07daf701ceb4134a7b5fe9a873baf94d41d3395a6e5ac78d36d2f1454746021e510e922eb985493a7752adde457086695404eeabd9cc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzhndn6i.pdb

MD5
6af0248c454110a344512ce91eb84a33

SHA1
91a7be8885cffe99c817b27663044f4d86c31beb

SHA256
c29c5c8ca494114d84cfa00870070291ec77e55ae4cceefca7a7c44200fe4636

SHA512
cdf4c298615c2cc947bff5738c77410ca06e7a07c613f5de5933a9dd2795fe02039dad7a9148f9ceac52b962988fdd94c70e09a4e2a50ddba7ad5f100ca0a27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zejl2rxy.dll

MD5
e030195108a8ff5de861db1556fdce6e

SHA1
b53fe0e7463c8dd61a4772aedb38c08e01417c14

SHA256
aa6a6b6dc249aa7760153244982f3acb1f49a8a5f0bcd4e2bc9573f0fe5997ae

SHA512
75e44e4bd2bd83afcd2caa9761c55f01323e9b7c8ef099aa791293a6a0dd38f3df16592390042d47cf4b8b20ed80ac1977e4f1d3a3afd2f34599df9fd7ba67d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zejl2rxy.pdb

MD5
32ef1c3a569d5da2af8cdf87fc87e71a

SHA1
1aa4127311ee899ce4039606744a921500fbc4b5

SHA256
96e56000a868d17b451f3c06da0cc1c5ab8f02f0752383654a08290dc0b20129

SHA512
a312dfa0b673f8ac7749ae7f7ebe07afb5b99a2d988172aa4838dd2d7f96f80ecafcfa972eb3ed087b002ec8e4ccb1c593fb15990044aea1480081bfa47be58d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8527.tmp

MD5
8c94350548648f6b9a52948b968d87a6

SHA1
0ef1d16f2a160aa2a872e95ace2b15bf0eda23b2

SHA256
fe1dd2edf9627ceeb80979033da1dfa8db60ffae15c3f8a0539c6469ad1dabc4

SHA512
2cd04ac67a0cf5c600150ed5868afabf9e1a91eb966a49cb1716c78207791d466b4370664a66725d6921c36d4467adc8be56bdc6770d1d8778b4840e43a7facb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8804.tmp

MD5
05d0b0409cdee7b0d0f89213a713eb82

SHA1
2ac1810b2b026217ebfa47759dc330b14672728a

SHA256
3216ef9e0e2f3e5f2e802e1e72ef9f66d3e75e173895d5579ad14ae8fd0189d6

SHA512
258894c4c70034a659c0b59433dbd929aa16afd1731e3fd5b463e79c678120431a7754f54be145384339c1e9ac685896d12f54e9c1f227b02233317963057a3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qzhndn6i.0.cs

MD5
344f23b4667f7d312483d88784135df6

SHA1
718411c0a15618ab922439236f05795cc3698193

SHA256
c5b8181e96ef7e95b279a0693b8fc0e9ff4d7a1da54de03cdc81b1974554c840

SHA512
d82e753ee42564ed0db88c48368ad0eddcc71782233d58778aeeca9e65ecfb95043352f45f17650060ea6abc365ed307a5ff722dbbe466df8e221f007bd5af86

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qzhndn6i.cmdline

MD5
fde08dbfae1598d4487d5997ffe78a70

SHA1
de980e93dec37ddd4c9fc03d24f7136cd963b616

SHA256
3ba8a18f368203e6efa1af4cf6d11fe55963b395edaa6c0b30ed4c5268527183

SHA512
794becebcd9806f5679106e041e9c4fb74b65523ac52bb35407c614ac2f29bdd40cf33e316edde0f8d9cc370ff47beae96219fb979d0c25570b0989ee5449c6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zejl2rxy.0.cs

MD5
66878dde234663689cfa070b8be89ce2

SHA1
65452416e6883172001c395292392ce54d1b5610

SHA256
f13998b5042ff0f5b6acef75802b38437bc20576fd67d365a0cb1cc49ae9c7fe

SHA512
79e2a7bf56cba07da5a4e8d3b33197e867e23fec74b254cd684614db1322da20db79af30b9a1bd37c694d23043378345f2361cb5455a2490ebc2f34177abb0b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zejl2rxy.cmdline

MD5
a1eccfd3d8046a3512b2d436d42da658

SHA1
42da680af1697c827aa8065134d7e6f0be7066f3

SHA256
4e0c305d3d3f0ab3fb11d5e2a3fb62ae4abe7f977c357af7c465b9b4238cea77

SHA512
f8f2a51983df01235e7fca3832c74913431188de66c2f8a0da3d97ec06d4c154223d3787820989f2fe49a04fdf518012e3f4154b8954c2c8fb8e112edd324f3d

Download Submit
memory/764-63-0x0000000002240000-0x0000000002242000-memory.dmp

Filesize
8KB

Download
memory/1088-54-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp

Filesize
8KB

Download
memory/1088-59-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/1088-60-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1088-55-0x000007FEF2E30000-0x000007FEF398D000-memory.dmp

Filesize
11.4MB

Download
memory/1088-58-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1088-57-0x0000000002922000-0x0000000002924000-memory.dmp

Filesize
8KB

Download
memory/1088-56-0x0000000002920000-0x0000000002922000-memory.dmp

Filesize
8KB

Download
memory/1248-74-0x0000000002B20000-0x0000000002B32000-memory.dmp

Filesize
72KB

Download
memory/1248-75-0x0000000002B20000-0x0000000002B32000-memory.dmp

Filesize
72KB

Download
memory/1804-81-0x0000000003E00000-0x00000000045EF000-memory.dmp

Filesize
7.9MB

Download