57d84d42d12c04652cf87f1b1255e0f6ada7674751200ba1d2298941deb5cd44

General

Target

49c17404c6314b837c9f3b49aba9bf7e.ps1
Size

144KB
MD5

49c17404c6314b837c9f3b49aba9bf7e
SHA1

dce337aa57cdf134e0c7a7101353777346e964e2
SHA256

57d84d42d12c04652cf87f1b1255e0f6ada7674751200ba1d2298941deb5cd44
SHA512

8018e8ad4f98cbea91218fd378c3f0a90ab172f6176a6d17016f2d23c1783250fa1467ee2f2023036dd8826816586d90f920f351929ca93d3e710feaf19cb268

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exePowerShell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1172	mshta.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	1172	PowerShell.exe

Drops file in System32 directory 1 IoCs

Processes:

PowerShell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exePowerShell.exe

pid process

1100 powershell.exe
1216 powershell.exe
660 PowerShell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exePowerShell.exe

description pid process

Token: SeDebugPrivilege 1100 powershell.exe
Token: SeDebugPrivilege 1216 powershell.exe
Token: SeDebugPrivilege 660 PowerShell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1100	powershell.exe
1216	powershell.exe
660	PowerShell.exe

description	pid	process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	660	PowerShell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 1100 wrote to memory of 1216	1100	powershell.exe	powershell.exe
PID 1100 wrote to memory of 1216	1100	powershell.exe	powershell.exe
PID 1100 wrote to memory of 1216	1100	powershell.exe	powershell.exe
PID 1216 wrote to memory of 2004	1216	powershell.exe	WScript.exe
PID 1216 wrote to memory of 2004	1216	powershell.exe	WScript.exe
PID 1216 wrote to memory of 2004	1216	powershell.exe	WScript.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\49c17404c6314b837c9f3b49aba9bf7e.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.vbs"
3⤵
PID:2004

C:\Windows\system32\mshta.exe
mshta.exe C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.hta
1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\CDCELITETZDURXFLXDLWOS.ps1
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\CDCELITETZDURXFLXDLWOS.ps1
Filesize
140KB

MD5
8c477468d34508fb055130af5ff77490

SHA1
f2e3b8d26ef690aa2bb82f483731a6cf62798edc

SHA256
e931a8c19bdd628a3f041ffb97fee15d8effea525fa48843103e349a6f63182a

SHA512
06fd4463c3b893a03054c46dfea56d7909a3af8334a2fbfaad4e7ae1fe8f8455797c06d32eb273e58c0111795617cb414771034ca07bfd40401959c03206d51d

Download Submit
C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.hta
Filesize
1KB

MD5
413177dd4afafe33eb7c5952d43034c1

SHA1
0a10af7cc12eb204a11111efa7d56026e3626e19

SHA256
ac74a5caefedb5972ab36c73cb14ef26081c2b2252b9c345247544fdeb2e61cf

SHA512
3e8dfcbb0b21bbf619b827b5657f98a1270620ef6406fe6dbcd9c75eceeaadddd853e1e05711bc3e1108e3a765228141b591f3ab850a1f272fa0d29775638275

Download Submit
C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.ps1
Filesize
457B

MD5
5f55e2ba5f18fa00afceee9a423c4080

SHA1
a44178094ac1cc7c6487a833618e03b810e5ae8a

SHA256
00c9f8218e35dd8108257461b6b36e74dabb5054a9de7aca4bfbe0c380107a52

SHA512
c13dbd7e45848e1b9b2abdd5f84a38825f73cabf8cc1f6a3443bc923f102b9d2298d070daa27c3494d013ea9de88395f4caf4a691764d833a47e15efe0191601

Download Submit
C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.vbs
Filesize
241B

MD5
369b5c8fb7984dcf1b5161895f568db6

SHA1
709c93fcc43bd6dc37fa47ecc20ab7590a8e095c

SHA256
d1c8024152c41388b106dc3dc45911e69b3f7e555446285701922625d43e1575

SHA512
368db5a79283958c65041986d4a47eeb960c6689f724ad79540936acdcf511f1ca1ba3772fc71d442905a3bb97c226317643a397e37aa465a0840f58a4698e57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8dcc2a424f2347fbc4cd92c6d992f065

SHA1
172b15bdd1450d5ff4b4bacac49ff4fd5becac08

SHA256
5df4083442b1b8dc8102242e46b7468c314fad5021c088b4b9cd0bca11190320

SHA512
e5ccfbd7251e64c06e035e877d4d2c6afa98161f27582f847bc90a5aa3f7156f945712ecf0f5d49b0c3d825405df752b8f2074e6bb7ce896bb931f8994668fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9b3e3b1cbc7a65f63521d31c4554c292

SHA1
4a9ce006321236479d55a127f3791fde7196a92b

SHA256
90242ad92d218fcd6199e9f2feaff2226ffa7a01b59f6dae1920cfa72a551214

SHA512
0d626f4fb014d7f925a541dcc279f4cbb7a8e0bcbc9fa545beb166755e8edb903780962c89a57e3fe4e84e1afeb3591d5b7b3a4e600feaa029431a3266cd3257

Download Submit
memory/660-76-0x0000000002630000-0x0000000002632000-memory.dmp

Filesize
8KB

Download
memory/660-77-0x0000000002632000-0x0000000002634000-memory.dmp

Filesize
8KB

Download
memory/660-78-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/660-79-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/660-74-0x000007FEEDE20000-0x000007FEEE97D000-memory.dmp

Filesize
11.4MB

Download
memory/1100-59-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1100-54-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1100-58-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1100-56-0x00000000025E0000-0x00000000025E2000-memory.dmp

Filesize
8KB

Download
memory/1100-57-0x00000000025E2000-0x00000000025E4000-memory.dmp

Filesize
8KB

Download
memory/1100-55-0x000007FEF3420000-0x000007FEF3F7D000-memory.dmp

Filesize
11.4MB

Download
memory/1216-69-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1216-68-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1216-64-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1216-63-0x000007FEF3420000-0x000007FEF3F7D000-memory.dmp

Filesize
11.4MB

Download
memory/1216-60-0x0000000000000000-mapping.dmp

Download
memory/2004-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads