32060ba18c4ed29f6a441b6193a2e6376bb43c752709558f046e9365b7275559

General

Target

ServerFAH.ps1
Size

134KB
MD5

327fee2e572cf6b3b337fded32308189
SHA1

8046a0f02d0673d3833b40bc5ac885b0a8891079
SHA256

32060ba18c4ed29f6a441b6193a2e6376bb43c752709558f046e9365b7275559
SHA512

be2e0938b929177621c7b9d324c2245ecef46e9b9b1b93204e1663edc2e9ee12f05e3e350362f7a6863d906bff2eb3e3b804a66d05a5c4cb4e87a7175b12bea8

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 1784 cmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1784	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1720 powershell.exe
1532 powershell.exe
1624 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1720 powershell.exe
Token: SeDebugPrivilege 1532 powershell.exe
Token: SeDebugPrivilege 1624 powershell.exe

pid	process
1720	powershell.exe
1532	powershell.exe
1624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 1720 wrote to memory of 1532	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 1532	1720	powershell.exe	powershell.exe
PID 1720 wrote to memory of 1532	1720	powershell.exe	powershell.exe
PID 1532 wrote to memory of 1004	1532	powershell.exe	WScript.exe
PID 1532 wrote to memory of 1004	1532	powershell.exe	WScript.exe
PID 1532 wrote to memory of 1004	1532	powershell.exe	WScript.exe
PID 1632 wrote to memory of 1388	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 1388	1632	cmd.exe	cmd.exe
PID 1632 wrote to memory of 1388	1632	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1624	1388	cmd.exe	powershell.exe
PID 1388 wrote to memory of 1624	1388	cmd.exe	powershell.exe
PID 1388 wrote to memory of 1624	1388	cmd.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ServerFAH.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.vbs"
3⤵
PID:1004

C:\Windows\system32\cmd.exe
cmd /c C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.bat
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noe -nop -nonI -WIndoWSTYLe Hidden -executionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps1
2⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noe -nop -nonI -WIndoWSTYLe Hidden -executionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps1
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.bat
MD5
1ca2d431085aeaf74a34fa288ee241ce

SHA1
c2eee8833239a4f314c788974cd918458213d2cd

SHA256
1b14dced54fee58bc9101ae0a0d99be3d8e5ec293937f25177acc12d1775d764

SHA512
74cb10e76aa479a3076b9e35841cb75aea03bdd7b7a521961be10a403441d6f22c6641f7f92d00a59fc77c12829f4fe216e7fcb1e6aa6d2e2ff26376f55515ec

Download Submit
C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.ps1
MD5
abbd84fe458a51e5e93dc62ba2a33313

SHA1
df97c89da1a0eaac1485afb1210ffc034e458e65

SHA256
197d956d33beac34ac8a9b79c460508d28e9069977a27712150695ad2fa8eb22

SHA512
6acb1ba6d93aea7e6857f95a3ca7399050b384283f1c9fbf2bdd52e49d09e1aba8a44106621a07b5f01be55e3bf90e0d405a8485bfd396902e7dacba1da37af6

Download Submit
C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.vbs
MD5
8fd7979dccc0170bfb3a586d28d572c8

SHA1
85873a74e36ec1f8e5c92a28492be96b7fc1afee

SHA256
0bcec1d4172f5edf9956023c08752b93be00eee1d1dd7ee027e70bab737bfedf

SHA512
c0e093348d0c15bdeed81bcec7ef66a080834edba3ab25d6405e68727d944ec0425b755d9f21a7d550b3ff17edb78e7ea9a2843df4f6c8d9d67a6a26ca713ec2

Download Submit
C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps1
MD5
3fbbaee606b9fa5ed730aab0c6123ce0

SHA1
a38435566b572cd77b2b5521cf50d830518ba9cf

SHA256
2d89ba4be26780c15328677895a43b6b31791a25105892d562cacf7fc902299d

SHA512
9cb3c6aa7021c09ec5c54520066fea23195e87c5cac41b2eba7bd8a0f31edc23414ebe4bbe3524ebcc2e100c3aec179987e58e11587205d4242302fa92b33f2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
481d1f8664c82ed36560cea0bde3da7f

SHA1
296aa054a0c8b228b6a52d1c1b6b7f631c53bf7c

SHA256
84233812ca4eb5fe457179ad8e77f8bed62a2d3024e2a21183729f41ef652d4d

SHA512
f681ab27965a07dea398bb6bae1ce402d2ba987aa2397394ca627760d0b3794a4844b252d2814214574dae6409ed6c223764099f223447175be33156a94fbcf4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
fb88e4de024c9129c9420a70a1158772

SHA1
ff383038bc31d39b3a535e6299549798526915ea

SHA256
cdf51b78b77fce96d2f083df55522bf0542df241ba28a00f75940a57496f3979

SHA512
72ac787d48cdb6a47e78ce717dc19573460a3ae853915a1b34f37cd481ba6f2787b57b3ff9a2f5d1d02a39bc3f0b7fe7576d2efedf0142202abf6f30f2947e69

Download Submit
memory/1532-66-0x0000000002920000-0x0000000002922000-memory.dmp

Filesize
8KB

Download
memory/1532-65-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download
memory/1532-69-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1532-63-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

Filesize
11.4MB

Download
memory/1532-67-0x0000000002922000-0x0000000002924000-memory.dmp

Filesize
8KB

Download
memory/1532-68-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1624-74-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

Filesize
11.4MB

Download
memory/1624-76-0x00000000028C0000-0x00000000028C2000-memory.dmp

Filesize
8KB

Download
memory/1624-77-0x00000000028C2000-0x00000000028C4000-memory.dmp

Filesize
8KB

Download
memory/1624-78-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/1624-75-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download
memory/1624-80-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/1720-60-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1720-55-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

Filesize
11.4MB

Download
memory/1720-59-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1720-58-0x0000000002592000-0x0000000002594000-memory.dmp

Filesize
8KB

Download
memory/1720-57-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/1720-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

Filesize
8KB

Download
memory/1720-56-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads