Analysis
-
max time kernel
4294180s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
13-04-2022 22:41
Static task
static1
Behavioral task
behavioral1
Sample
stuff.ps1
Resource
win7-20220311-en
General
-
Target
stuff.ps1
-
Size
188KB
-
MD5
8254ae9b0d6365640abaf15d2d74a4ab
-
SHA1
072d72634d8ddfe16e8065822797d61e8f2cf6a1
-
SHA256
4c4940488f9f3281b8cf4e88d400d4b18285addc198021cbc7dc990b4ab10aa7
-
SHA512
c84f06d269a0abfb5cff67a08b191468d7ba094830c994743e4f759eb6aba4d23de3f7290bd9cc2991ba01eca8c298734fe38397313f751456c111b72986f247
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1544 668 powershell.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1664 powershell.exe 1816 powershell.exe 1544 powershell.exe 540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 1544 powershell.exe Token: SeDebugPrivilege 540 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
powershell.exepowershell.exepowershell.execmd.exedescription pid process target process PID 1664 wrote to memory of 1816 1664 powershell.exe powershell.exe PID 1664 wrote to memory of 1816 1664 powershell.exe powershell.exe PID 1664 wrote to memory of 1816 1664 powershell.exe powershell.exe PID 1816 wrote to memory of 412 1816 powershell.exe WScript.exe PID 1816 wrote to memory of 412 1816 powershell.exe WScript.exe PID 1816 wrote to memory of 412 1816 powershell.exe WScript.exe PID 1544 wrote to memory of 1016 1544 powershell.exe cmd.exe PID 1544 wrote to memory of 1016 1544 powershell.exe cmd.exe PID 1544 wrote to memory of 1016 1544 powershell.exe cmd.exe PID 1016 wrote to memory of 540 1016 cmd.exe powershell.exe PID 1016 wrote to memory of 540 1016 cmd.exe powershell.exe PID 1016 wrote to memory of 540 1016 cmd.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\stuff.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.bat1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\JUJJXIPRQGPIGEPKBEEFQE.ps1'"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.batFilesize
127B
MD53a3621f698bddacf4a483b7937a526aa
SHA1252877137fec36ff0aec26ae03fbe721cc2dd746
SHA2562cebcb117d63f7a5501bdef860e12b2bb5a519f500ea2809e58a252fdd093d8e
SHA5126981efe08adfda669f4eb18846561587cfb951a09528b2c25c4ac4eed9ccf986a80068aae1fa37b41fdc41b7a20c01f58492c552938bfe602a88e9d3dc317421
-
C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.ps1Filesize
457B
MD504b8f8f8e92a78201fb9b5e64521205e
SHA131d89938dd38d6a0eb9c02ef2b1f39efa59cd01e
SHA25615efeea6f8bd53fc9200d1cff9aa3d46a3acc62d99abca63664f5111fd380b71
SHA512adbbb64db4d9dd43b146881882f60a6f105871876b617d8670cfd4eb127e47bed410d9bd1f37f61be8bbf63db26b9d1f1c32cd0ef3e4e22af4e4e62698e30a87
-
C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\BQIZGZEFZTIRALVAQROZSD.vbsFilesize
1KB
MD56a2f7bf0fd50b778ccef1ae8f9e1d2aa
SHA16529b18bb3b9874f946f0e837b95dbe994dc4876
SHA2560ebf7ec6a3e0c7d9fa00a53e7be74b9c9a4e122693bdceb57ded95825a3a945f
SHA512d07779490f9a84d91d0f88abc65ea71e2f649295e0d4c0d83c863a3c32382b06e516dd6dbdc9262b6ea578cd3bc4ee0baf1bcbd93907613165e3283f8ca5e62c
-
C:\ProgramData\BQIZGZEFZTIRALVAQROZSD\JUJJXIPRQGPIGEPKBEEFQE.ps1Filesize
184KB
MD5b8425da2ff46f9b440037fb8edc93845
SHA159538af9cdfbb3ad1cc471113a9253d13b1bde8b
SHA256f90c7331f3cec4cca6c7175c204cdf8d6465261d3736c2130852eff8ca60d86f
SHA512be6bcd0ba44f953eb71682856cd73bd3cb7582619280252794db31f9830927854ea3d1516976925567cd99e3b727d0828b0a5c918a91ec925699f28271357674
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50ee6e107ac3860189d7f67b71b15e6e8
SHA19efd0158bb4da7d1f8ff5175226a2080d381ff79
SHA2563b9c7a7d90cff1088595f137cdf65b9a6e4bc262416fce561edcb81e1fb50914
SHA5123a8cb81dc4c014230bee41ac8227fbf8993da9a683e1a8b691b77c71ffc980e119cdb270847a2151ac3cc111cbf05adbab0d1a30fa18f598d9fb21dd0383d85b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5abb10e69530f521b30eed0892e4a8b64
SHA18eb93a7fa2e4b4d8136254f9edbefc4f8b9d8a9c
SHA256954ca31f178a2db66898f8f423db5221952c9807bf74a34ad9093cc0e4aaadf6
SHA5121d69b8d9aa86ea745e5c2a04b8e59b56ff47d5bac89c36ac1370e3312cdd941b0d947a07a9e6fb1c28586a862f52c2d46f49123e3a98c9e2940245ce62365804
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD50ee6e107ac3860189d7f67b71b15e6e8
SHA19efd0158bb4da7d1f8ff5175226a2080d381ff79
SHA2563b9c7a7d90cff1088595f137cdf65b9a6e4bc262416fce561edcb81e1fb50914
SHA5123a8cb81dc4c014230bee41ac8227fbf8993da9a683e1a8b691b77c71ffc980e119cdb270847a2151ac3cc111cbf05adbab0d1a30fa18f598d9fb21dd0383d85b
-
memory/412-70-0x0000000000000000-mapping.dmp
-
memory/540-88-0x0000000002210000-0x0000000002290000-memory.dmpFilesize
512KB
-
memory/540-89-0x0000000002210000-0x0000000002290000-memory.dmpFilesize
512KB
-
memory/540-86-0x0000000002210000-0x0000000002290000-memory.dmpFilesize
512KB
-
memory/540-87-0x0000000002210000-0x0000000002290000-memory.dmpFilesize
512KB
-
memory/540-84-0x000007FEF23D0000-0x000007FEF2F2D000-memory.dmpFilesize
11.4MB
-
memory/540-81-0x0000000000000000-mapping.dmp
-
memory/1016-80-0x0000000000000000-mapping.dmp
-
memory/1544-75-0x00000000024B0000-0x00000000024B2000-memory.dmpFilesize
8KB
-
memory/1544-77-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/1544-85-0x00000000024BB000-0x00000000024DA000-memory.dmpFilesize
124KB
-
memory/1544-74-0x000007FEF23D0000-0x000007FEF2F2D000-memory.dmpFilesize
11.4MB
-
memory/1544-76-0x00000000024B2000-0x00000000024B4000-memory.dmpFilesize
8KB
-
memory/1544-78-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1664-60-0x00000000026DB000-0x00000000026FA000-memory.dmpFilesize
124KB
-
memory/1664-58-0x00000000026D4000-0x00000000026D7000-memory.dmpFilesize
12KB
-
memory/1664-56-0x00000000026D0000-0x00000000026D2000-memory.dmpFilesize
8KB
-
memory/1664-59-0x000000001B790000-0x000000001BA8F000-memory.dmpFilesize
3.0MB
-
memory/1664-57-0x00000000026D2000-0x00000000026D4000-memory.dmpFilesize
8KB
-
memory/1664-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmpFilesize
8KB
-
memory/1664-55-0x000007FEF2D70000-0x000007FEF38CD000-memory.dmpFilesize
11.4MB
-
memory/1816-69-0x000000000287B000-0x000000000289A000-memory.dmpFilesize
124KB
-
memory/1816-68-0x0000000002874000-0x0000000002877000-memory.dmpFilesize
12KB
-
memory/1816-65-0x0000000002870000-0x0000000002872000-memory.dmpFilesize
8KB
-
memory/1816-66-0x0000000002872000-0x0000000002874000-memory.dmpFilesize
8KB
-
memory/1816-64-0x000007FEF2D70000-0x000007FEF38CD000-memory.dmpFilesize
11.4MB
-
memory/1816-61-0x0000000000000000-mapping.dmp