Overview

overview

10

Static

static

d6c4ade36b...c7.ps1

windows7_x64

10

d6c4ade36b...c7.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    4294178s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    01-04-2022 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6c4ade36b68cf81608e4d020753dac7.ps1

  • Size

    144KB

  • MD5

    d6c4ade36b68cf81608e4d020753dac7

  • SHA1

    5f75f581c64a6e47183b1e6907af080b74f3de01

  • SHA256

    aaa058a702aa5685df10d86f8af119ce93442a885496104b35719b103c81a52b

  • SHA512

    19369bba499912144de311602d6952486146862e2433b51905de529455718d52bebc1bd0a72c08e691caf6cec347184da934be2094040a2d86bc1cbe13fee643

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\d6c4ade36b68cf81608e4d020753dac7.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:608
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.vbs"
        3⤵
          PID:1852
    • C:\Windows\system32\mshta.exe
      mshta.exe C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.hta
      1⤵
      • Process spawned unexpected child process
      • Modifies Internet Explorer settings
      PID:1544
    • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\YHZYJGKGYAFXQEZFSRCPPY.ps1
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:924

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.hta
      Filesize

      1KB

      MD5

      0d8a343d40a1b39911f99a4a90945f15

      SHA1

      14e929c8802ceead8f99f021cae794898cdc7b63

      SHA256

      307a105c994653aa1105f9d24361ca639b6810cf0d16619a76bbc00a7068a1ea

      SHA512

      91540228f349862be9691b0494e5d5165739673059deab2489f3c70f55dd6a480e03168e54f417f61b714965f732c041fac8d4ec9b1b73d829287c910aa08016

      Download Submit

    • C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.ps1
      Filesize

      457B

      MD5

      f5b5dde5380cf041a4a9dd22e7000ec0

      SHA1

      64fb2e552fbf90fb611a175a3394d17c8666a181

      SHA256

      6ab8b8f9182d071179154757bcc71e8549a51bca67162355acaf4e9689946030

      SHA512

      deb685124b3c869e9553c9584e7d38fdad4cc191d43ae531fecc29e736be69571c03e4f021926dad923bc0cdf8aa49a12fcd94b0a1ee1cc42550d47d4af57e6b

      Download Submit

    • C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.vbs
      Filesize

      241B

      MD5

      56095721c87afb22ad91288a8ab5bb3e

      SHA1

      fdacb1a38b8e7f9a8e0fd6c138fc145315647511

      SHA256

      494c29aba65b0904efabc329e621fd45218bc43dc48dac0d21f88526c4b64fb3

      SHA512

      fda47210abe11874ba52e50263e5f232c38b011d08b4fb2a5062c8c85dbe8d94083ebd288caf032dbca2655417b930b5f92a1bec929e46ea1cdbd7498900d601

      Download Submit

    • C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\YHZYJGKGYAFXQEZFSRCPPY.ps1
      Filesize

      140KB

      MD5

      0c6860815643fd936f04c6c78c7fbfe1

      SHA1

      f2b20c69f67f32c2731e7f7611bc329db9d3cbd9

      SHA256

      37a94b72cec528ffaa6fb82559ba2dc0b82bc1270edc85e7cee98d16f6b9c242

      SHA512

      0dd9b63a92479b55f4e4b324bc10f26d684ae95420d151a958196257c2c36926bc5592cc042cb1207a3991fd75bd2248b6ce54436dbea31a261aebe39db036a6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      89f98e0155306a1ee033f73b6a69ade2

      SHA1

      d1e9ffdce315d069b4a1ec85887a12fd68c7bad8

      SHA256

      48703db2af7847d7b2cc8c1de16ef2a0785b630d67f84830430b815c07df6940

      SHA512

      ac8e7f0f0f345d9e49f64a55a4945857044e6ef6addc0b75539947736eb96ea9fa2630d13d3ffec5b153a757511a1605fbabf99a9d04697ec0a1a878e540e306

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      90511527bb456e6cbf9b360129eb80e4

      SHA1

      63681a4465202808d13eea72ceed4903a02be328

      SHA256

      7d607578ec284adf0f3eb4c01b96b56db3c1202c13eeab1a9d7fc7047fc01ef8

      SHA512

      2dab7da60c300b3fa5ab4c028649e91b41535dc9e0eee20d208fecb487bb4a5af4c7fd1b82a53e637b37aa9cec9c344014c992bf292ef008f4dbc1f081f863b2

      Download Submit

    • memory/608-60-0x000000000282B000-0x000000000284A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/608-57-0x0000000002822000-0x0000000002824000-memory.dmp

      Filesize

      8KB

      Download

    • memory/608-54-0x000007FEFB851000-0x000007FEFB853000-memory.dmp

      Filesize

      8KB

      Download

    • memory/608-56-0x0000000002820000-0x0000000002822000-memory.dmp

      Filesize

      8KB

      Download

    • memory/608-59-0x000000001B720000-0x000000001BA1F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/608-55-0x000007FEF2A20000-0x000007FEF357D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/608-58-0x0000000002824000-0x0000000002827000-memory.dmp

      Filesize

      12KB

      Download

    • memory/924-80-0x00000000028FB000-0x000000000291A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/924-77-0x00000000028F2000-0x00000000028F4000-memory.dmp

      Filesize

      8KB

      Download

    • memory/924-78-0x00000000028F4000-0x00000000028F7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/924-76-0x00000000028F0000-0x00000000028F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/924-75-0x000007FEEDAF0000-0x000007FEEE64D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1660-67-0x0000000002634000-0x0000000002637000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1660-70-0x000000000263B000-0x000000000265A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1660-66-0x0000000002632000-0x0000000002634000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1660-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1660-65-0x0000000002630000-0x0000000002632000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1660-64-0x000007FEF2A20000-0x000007FEF357D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1852-69-0x0000000000000000-mapping.dmp

      Download