Analysis

  • max time kernel
    4294180s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    13-04-2022 22:41

General

  • Target

    stuff.ps1

  • Size

    188KB

  • MD5

    8254ae9b0d6365640abaf15d2d74a4ab

  • SHA1

    072d72634d8ddfe16e8065822797d61e8f2cf6a1

  • SHA256

    4c4940488f9f3281b8cf4e88d400d4b18285addc198021cbc7dc990b4ab10aa7

  • SHA512

    c84f06d269a0abfb5cff67a08b191468d7ba094830c994743e4f759eb6aba4d23de3f7290bd9cc2991ba01eca8c298734fe38397313f751456c111b72986f247

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\stuff.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.vbs"
        3⤵
          PID:412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.bat
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\JUJJXIPRQGPIGEPKBEEFQE.ps1'"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:540

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.bat
      Filesize

      127B

      MD5

      3a3621f698bddacf4a483b7937a526aa

      SHA1

      252877137fec36ff0aec26ae03fbe721cc2dd746

      SHA256

      2cebcb117d63f7a5501bdef860e12b2bb5a519f500ea2809e58a252fdd093d8e

      SHA512

      6981efe08adfda669f4eb18846561587cfb951a09528b2c25c4ac4eed9ccf986a80068aae1fa37b41fdc41b7a20c01f58492c552938bfe602a88e9d3dc317421

    • C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.ps1
      Filesize

      457B

      MD5

      04b8f8f8e92a78201fb9b5e64521205e

      SHA1

      31d89938dd38d6a0eb9c02ef2b1f39efa59cd01e

      SHA256

      15efeea6f8bd53fc9200d1cff9aa3d46a3acc62d99abca63664f5111fd380b71

      SHA512

      adbbb64db4d9dd43b146881882f60a6f105871876b617d8670cfd4eb127e47bed410d9bd1f37f61be8bbf63db26b9d1f1c32cd0ef3e4e22af4e4e62698e30a87

    • C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.vbs
      Filesize

      1KB

      MD5

      6a2f7bf0fd50b778ccef1ae8f9e1d2aa

      SHA1

      6529b18bb3b9874f946f0e837b95dbe994dc4876

      SHA256

      0ebf7ec6a3e0c7d9fa00a53e7be74b9c9a4e122693bdceb57ded95825a3a945f

      SHA512

      d07779490f9a84d91d0f88abc65ea71e2f649295e0d4c0d83c863a3c32382b06e516dd6dbdc9262b6ea578cd3bc4ee0baf1bcbd93907613165e3283f8ca5e62c

    • C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\JUJJXIPRQGPIGEPKBEEFQE.ps1
      Filesize

      184KB

      MD5

      b8425da2ff46f9b440037fb8edc93845

      SHA1

      59538af9cdfbb3ad1cc471113a9253d13b1bde8b

      SHA256

      f90c7331f3cec4cca6c7175c204cdf8d6465261d3736c2130852eff8ca60d86f

      SHA512

      be6bcd0ba44f953eb71682856cd73bd3cb7582619280252794db31f9830927854ea3d1516976925567cd99e3b727d0828b0a5c918a91ec925699f28271357674

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      0ee6e107ac3860189d7f67b71b15e6e8

      SHA1

      9efd0158bb4da7d1f8ff5175226a2080d381ff79

      SHA256

      3b9c7a7d90cff1088595f137cdf65b9a6e4bc262416fce561edcb81e1fb50914

      SHA512

      3a8cb81dc4c014230bee41ac8227fbf8993da9a683e1a8b691b77c71ffc980e119cdb270847a2151ac3cc111cbf05adbab0d1a30fa18f598d9fb21dd0383d85b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      abb10e69530f521b30eed0892e4a8b64

      SHA1

      8eb93a7fa2e4b4d8136254f9edbefc4f8b9d8a9c

      SHA256

      954ca31f178a2db66898f8f423db5221952c9807bf74a34ad9093cc0e4aaadf6

      SHA512

      1d69b8d9aa86ea745e5c2a04b8e59b56ff47d5bac89c36ac1370e3312cdd941b0d947a07a9e6fb1c28586a862f52c2d46f49123e3a98c9e2940245ce62365804

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      0ee6e107ac3860189d7f67b71b15e6e8

      SHA1

      9efd0158bb4da7d1f8ff5175226a2080d381ff79

      SHA256

      3b9c7a7d90cff1088595f137cdf65b9a6e4bc262416fce561edcb81e1fb50914

      SHA512

      3a8cb81dc4c014230bee41ac8227fbf8993da9a683e1a8b691b77c71ffc980e119cdb270847a2151ac3cc111cbf05adbab0d1a30fa18f598d9fb21dd0383d85b

    • memory/412-70-0x0000000000000000-mapping.dmp
    • memory/540-88-0x0000000002210000-0x0000000002290000-memory.dmp
      Filesize

      512KB

    • memory/540-89-0x0000000002210000-0x0000000002290000-memory.dmp
      Filesize

      512KB

    • memory/540-86-0x0000000002210000-0x0000000002290000-memory.dmp
      Filesize

      512KB

    • memory/540-87-0x0000000002210000-0x0000000002290000-memory.dmp
      Filesize

      512KB

    • memory/540-84-0x000007FEF23D0000-0x000007FEF2F2D000-memory.dmp
      Filesize

      11.4MB

    • memory/540-81-0x0000000000000000-mapping.dmp
    • memory/1016-80-0x0000000000000000-mapping.dmp
    • memory/1544-75-0x00000000024B0000-0x00000000024B2000-memory.dmp
      Filesize

      8KB

    • memory/1544-77-0x00000000024B4000-0x00000000024B7000-memory.dmp
      Filesize

      12KB

    • memory/1544-85-0x00000000024BB000-0x00000000024DA000-memory.dmp
      Filesize

      124KB

    • memory/1544-74-0x000007FEF23D0000-0x000007FEF2F2D000-memory.dmp
      Filesize

      11.4MB

    • memory/1544-76-0x00000000024B2000-0x00000000024B4000-memory.dmp
      Filesize

      8KB

    • memory/1544-78-0x000000001B760000-0x000000001BA5F000-memory.dmp
      Filesize

      3.0MB

    • memory/1664-60-0x00000000026DB000-0x00000000026FA000-memory.dmp
      Filesize

      124KB

    • memory/1664-58-0x00000000026D4000-0x00000000026D7000-memory.dmp
      Filesize

      12KB

    • memory/1664-56-0x00000000026D0000-0x00000000026D2000-memory.dmp
      Filesize

      8KB

    • memory/1664-59-0x000000001B790000-0x000000001BA8F000-memory.dmp
      Filesize

      3.0MB

    • memory/1664-57-0x00000000026D2000-0x00000000026D4000-memory.dmp
      Filesize

      8KB

    • memory/1664-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp
      Filesize

      8KB

    • memory/1664-55-0x000007FEF2D70000-0x000007FEF38CD000-memory.dmp
      Filesize

      11.4MB

    • memory/1816-69-0x000000000287B000-0x000000000289A000-memory.dmp
      Filesize

      124KB

    • memory/1816-68-0x0000000002874000-0x0000000002877000-memory.dmp
      Filesize

      12KB

    • memory/1816-65-0x0000000002870000-0x0000000002872000-memory.dmp
      Filesize

      8KB

    • memory/1816-66-0x0000000002872000-0x0000000002874000-memory.dmp
      Filesize

      8KB

    • memory/1816-64-0x000007FEF2D70000-0x000007FEF38CD000-memory.dmp
      Filesize

      11.4MB

    • memory/1816-61-0x0000000000000000-mapping.dmp