Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 01:36
Static task
static1
Behavioral task
behavioral1
Sample
129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d.ps1
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d.ps1
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d.ps1
-
Size
5.1MB
-
MD5
25c0fde038e01fe84fd3df69c99e60a1
-
SHA1
147c1adc615daa93e84a5a9210ccc14ae86f6c55
-
SHA256
129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d
-
SHA512
8d666575c6570f5b128faf30d30f506259eda1907829bcf449c2407ea3aa943de46933bb3822b5fcddb25648ad8cc6f4d2077b29e82cdb4a6f423a5e1acc9fae
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1088 powershell.exe 1088 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1804 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 1088 powershell.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeBackupPrivilege 368 vssvc.exe Token: SeRestorePrivilege 368 vssvc.exe Token: SeAuditPrivilege 368 vssvc.exe Token: SeShutdownPrivilege 1804 explorer.exe Token: SeShutdownPrivilege 1804 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe 1804 explorer.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1088 wrote to memory of 764 1088 powershell.exe 28 PID 1088 wrote to memory of 764 1088 powershell.exe 28 PID 1088 wrote to memory of 764 1088 powershell.exe 28 PID 764 wrote to memory of 580 764 csc.exe 29 PID 764 wrote to memory of 580 764 csc.exe 29 PID 764 wrote to memory of 580 764 csc.exe 29 PID 1088 wrote to memory of 1492 1088 powershell.exe 30 PID 1088 wrote to memory of 1492 1088 powershell.exe 30 PID 1088 wrote to memory of 1492 1088 powershell.exe 30 PID 1492 wrote to memory of 1480 1492 csc.exe 31 PID 1492 wrote to memory of 1480 1492 csc.exe 31 PID 1492 wrote to memory of 1480 1492 csc.exe 31 PID 1088 wrote to memory of 1248 1088 powershell.exe 14
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1248
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\129a0f0f4dd667e3ecbcc252b890f306eb041ad0295cb1511343c307c12a658d.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zejl2rxy.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8538.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8527.tmp"4⤵PID:580
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qzhndn6i.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8805.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8804.tmp"4⤵PID:1480
-
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:368