Analysis
-
max time kernel
39s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
-
submitted
09-08-2022 20:31
General
-
Target
Server.ps1
-
Size
612KB
-
MD5
97c12ecc7e95b2e262e91bf5aa591887
-
SHA1
007fcf42f768b48d568716f8fd816ed632fda354
-
SHA256
a4431f4c7fdfe445129cce301c59e05d5cc4b1b33aad3341d18308c46efb1024
-
SHA512
8329cb6798514fb010bcb20934b87fc7cda9b5342749a1de7b9be4d894db4ecba46e600847e7c4dadb9d1a61a1ee501da177b06b39533dbfe7d6671181bae5b0
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Server.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\EKJFLROHTOEAZBDFUOCZXX.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.batFilesize
706B
MD51a7a326391b638c03d76369946fc0052
SHA17ae0ffd77ec76b94d735265efad35ddd072cdf36
SHA2560223739ebea16b1f70bf88f3eb43afd01c315c1e7142a72bf8931bb6be9ea09f
SHA512449ce3c15d2d36e42c00c9f9b1df759aa830de931532ee17d16ff6b50a8fe3d180ae474e2e8aca66e9af47df434293f3d96367dedaa91ad1ce60383fe23f9495
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.ps1Filesize
3KB
MD589879c7e1b80b9171b57ec7290c50cf8
SHA14d2761deb7c46b99f5c8ebc4329f0ccd5b3aace3
SHA256dc8f58abd89fed28b00f23da6657188e40dde2da65c254c12a38c4ed1984c6b2
SHA512d8f579f01ddba32beb1cc578fd798b6e8790073261fdd71c4b5b0a277766a68833ca5834b006e9e9c3582f2476fa77b8019e98f744dafdf56f9e0239afe1dd3b
-
C:\ProgramData\QKACGFYHYHFGPQVDAPBHQB\QKACGFYHYHFGPQVDAPBHQB.vbsFilesize
1KB
MD577d9ab54d90a588d38b4a402d7cf25bb
SHA1f72cf4ad3106815b8f3dc9ab804ae285b6bad1e6
SHA25625f09c56e34e4a61e8e57e453c2a3ed05ff33b6e10f1d78af94301ddf312a9f4
SHA512c2054a0e6df593a318fd310b82ed43cb8cf8f89b58bd784acd3ec5ca2a7b039f7fc2848a7641cc43215c0656ea71d3a09ed800d0164c293e5b54bbd27ffe21e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d0c3c04acd5804f27c18d6e69618c328
SHA1d8fab8957a0848b38311177f6e534c76216e6905
SHA2569ad645d8d43c8c7905f025ac0c2222c7f370d12329afa4661232861dbfc8f5bd
SHA512aa98c06f6ad156fc0f0cc4632d9bb87daa06e7824b7bc2ae57866e122332217697b94804c0aff841ed8c180e6aee783941e0fa31395dc537517555eed7664738
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD52d58b1cb71e104414c764def5171ff46
SHA1f76c6aa6c0f1919e0d9bffc1c18405d33ee19e0e
SHA256ec644fb25a5742c09a8179b12494e15b6af11d45df4bd55b078526f6b3e8b539
SHA5127210a00def441d61fa445a3f8bf6dfcc24e69d528058a085c47babc5b402032104533b1e05d98810e10c37f433db9c6d803785fdd4a9f6468ce4dfdc0c8e9249
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5d0c3c04acd5804f27c18d6e69618c328
SHA1d8fab8957a0848b38311177f6e534c76216e6905
SHA2569ad645d8d43c8c7905f025ac0c2222c7f370d12329afa4661232861dbfc8f5bd
SHA512aa98c06f6ad156fc0f0cc4632d9bb87daa06e7824b7bc2ae57866e122332217697b94804c0aff841ed8c180e6aee783941e0fa31395dc537517555eed7664738
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/592-84-0x0000000000000000-mapping.dmp
-
memory/768-96-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/768-95-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/768-94-0x000000000283B000-0x000000000285A000-memory.dmpFilesize
124KB
-
memory/768-92-0x0000000002834000-0x0000000002837000-memory.dmpFilesize
12KB
-
memory/768-91-0x000007FEF3440000-0x000007FEF3F9D000-memory.dmpFilesize
11.4MB
-
memory/768-90-0x000007FEF3FA0000-0x000007FEF49C3000-memory.dmpFilesize
10.1MB
-
memory/768-85-0x0000000000000000-mapping.dmp
-
memory/960-83-0x0000000000000000-mapping.dmp
-
memory/976-81-0x0000000000000000-mapping.dmp
-
memory/1484-82-0x0000000000000000-mapping.dmp
-
memory/1728-70-0x0000000000000000-mapping.dmp
-
memory/1736-57-0x00000000025D4000-0x00000000025D7000-memory.dmpFilesize
12KB
-
memory/1736-56-0x000007FEF3DE0000-0x000007FEF493D000-memory.dmpFilesize
11.4MB
-
memory/1736-61-0x00000000025DB000-0x00000000025FA000-memory.dmpFilesize
124KB
-
memory/1736-55-0x000007FEF4940000-0x000007FEF5363000-memory.dmpFilesize
10.1MB
-
memory/1736-60-0x00000000025D4000-0x00000000025D7000-memory.dmpFilesize
12KB
-
memory/1736-58-0x000000001B830000-0x000000001BB2F000-memory.dmpFilesize
3.0MB
-
memory/1736-74-0x00000000025DB000-0x00000000025FA000-memory.dmpFilesize
124KB
-
memory/1736-54-0x000007FEFC301000-0x000007FEFC303000-memory.dmpFilesize
8KB
-
memory/1736-59-0x00000000025DB000-0x00000000025FA000-memory.dmpFilesize
124KB
-
memory/1776-65-0x000007FEF4940000-0x000007FEF5363000-memory.dmpFilesize
10.1MB
-
memory/1776-73-0x0000000001F4B000-0x0000000001F6A000-memory.dmpFilesize
124KB
-
memory/1776-62-0x0000000000000000-mapping.dmp
-
memory/1776-68-0x000000001B850000-0x000000001BB4F000-memory.dmpFilesize
3.0MB
-
memory/1776-67-0x0000000001F44000-0x0000000001F47000-memory.dmpFilesize
12KB
-
memory/1776-66-0x000007FEF3DE0000-0x000007FEF493D000-memory.dmpFilesize
11.4MB
-
memory/1776-72-0x0000000001F44000-0x0000000001F47000-memory.dmpFilesize
12KB
-
memory/1996-77-0x000007FEF3FA0000-0x000007FEF49C3000-memory.dmpFilesize
10.1MB
-
memory/1996-87-0x000000000284B000-0x000000000286A000-memory.dmpFilesize
124KB
-
memory/1996-79-0x000007FEF3440000-0x000007FEF3F9D000-memory.dmpFilesize
11.4MB
-
memory/1996-78-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/1996-97-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/1996-98-0x000000000284B000-0x000000000286A000-memory.dmpFilesize
124KB