Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
-
submitted
09-08-2022 20:36
General
-
Target
Server2.ps1
-
Size
612KB
-
MD5
6bc00b50a62e3f2160b9edf1cb1cce8e
-
SHA1
1381fac090dcc9a5635e3e0ae4c6693f726c4dd5
-
SHA256
4ca62a1c904c5a12aac80ea69f09c4ba439a0eb786d23d384f76f42c32f0063c
-
SHA512
571b564613e8c6f72a951cbcafa5e5caf9043cb7fffa97f474c80e2bb50f9db281cdd4608c0bcb1a64ce15723f82af78290e76fb9bd50eb36fce7126fe9d1479
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Server2.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.batFilesize
706B
MD56a90128893777a59d404d46d3e967104
SHA1e2b70c13764f2f61aa8503999670542237046bc4
SHA256b986b6412802dadf97cc3684372614c084a723c25ad5db606c59a7445914b319
SHA5125e8ed2c486b6e0832fb1516d27a63e531355c61155259438f5d2ab220e0545786a76f3633499d721b94d5857e2d0ce2c04b6ae8918bc316ed639b926fdfa794c
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.ps1Filesize
3KB
MD543864d67842266f76a91dc4aee7338c7
SHA1022259ecb6970f6790c329e36b94402ba815b5e0
SHA256c9aee12c943156b698c5f5413fb0a6bbca87d0dec227d972e59dc974ac39decf
SHA51232bb0b67d9ec8064b13a2db93940ed41ce8bc352364a0222dcef7fc6bef98b7c3a579f608fb3cb5d6b81db49a58b736600831f5c40651e058a635f7502d55980
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\EOHXBXCWKDDRNGPNFSIAOH.vbsFilesize
1KB
MD5d6a5f499f7164e0d61a5b8a0b4900fba
SHA1054352e97c7aa7cf0eb3b0cf2ded905fc22a70b9
SHA2565b5e07e5a147d23983fe0adb7fed1c95f76ffe9443bd1394d4a8248a80ad2e44
SHA5122129eb026a406fc52057f1efb9c81e1e8696971ff738093671e1c794c4cb77022bcb8b980c4fc7b1705451e9b86d2cdec87ad35b198d002035cf95dc904ebec2
-
C:\ProgramData\EOHXBXCWKDDRNGPNFSIAOH\JQEIQFWPUTYRZYJCTCTPUB.ps1Filesize
604KB
MD5ab1fce3ab2f6f211da8f8dc30c2b3060
SHA1ae0dff660b20f9209a66029d44b048a63cc80336
SHA2567cb280def1092d641ad3449dd05713c155788034c6e1649d423039c867b562ca
SHA512ed741014733c2bf70bb82e539324a3a8ebca5b56a427675c9ce7ffdbb28d4f113c2d20e6a083ba8580d891e2586190842d6cea1b7cfb5450af02a694b14b5b85
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD552d80c9bd46a8b21b4561d375bab7d36
SHA1d5e58f8fbac713bb35968875486e3db45d545428
SHA256e6805c061ea8eb57defa4ac9e71b678a753aa786bca3675d18e36e63e4086795
SHA512f48259b19e6d8f098c29bc1c6a77a91fe2e85ba4fb85ecb4eeb3aeee6c29b2485dce8e169271f251ed790f0fef4abace75ef40c1a53e9d380952c2df8ec3fd8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD506bd5f5073eadd8d9d84baba0ba25749
SHA17aeee4235efca80ac72967f7b9bd4845ff8069d1
SHA256f92718626065fbbfd193b38b691ac2696a47978cb3b8a6474a11d7353c911258
SHA51256d9597573b9d4f8355d4e942fe8cb1dce4e64fe3d1a12593737318477a74c5583951882b58870e0d9ad09c9339511c248bdd7b223dedd6d708a0f4179e92a96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD506bd5f5073eadd8d9d84baba0ba25749
SHA17aeee4235efca80ac72967f7b9bd4845ff8069d1
SHA256f92718626065fbbfd193b38b691ac2696a47978cb3b8a6474a11d7353c911258
SHA51256d9597573b9d4f8355d4e942fe8cb1dce4e64fe3d1a12593737318477a74c5583951882b58870e0d9ad09c9339511c248bdd7b223dedd6d708a0f4179e92a96
-
memory/916-82-0x0000000000000000-mapping.dmp
-
memory/1344-69-0x0000000000000000-mapping.dmp
-
memory/1548-76-0x000007FEF3700000-0x000007FEF4123000-memory.dmpFilesize
10.1MB
-
memory/1548-77-0x000007FEF2BA0000-0x000007FEF36FD000-memory.dmpFilesize
11.4MB
-
memory/1548-90-0x0000000002320000-0x00000000023A0000-memory.dmpFilesize
512KB
-
memory/1548-79-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/1548-78-0x0000000002320000-0x00000000023A0000-memory.dmpFilesize
512KB
-
memory/1584-66-0x000007FEF3540000-0x000007FEF409D000-memory.dmpFilesize
11.4MB
-
memory/1584-67-0x0000000002334000-0x0000000002337000-memory.dmpFilesize
12KB
-
memory/1584-62-0x0000000000000000-mapping.dmp
-
memory/1584-65-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmpFilesize
10.1MB
-
memory/1584-72-0x000000000233B000-0x000000000235A000-memory.dmpFilesize
124KB
-
memory/1584-71-0x0000000002334000-0x0000000002337000-memory.dmpFilesize
12KB
-
memory/1804-88-0x000007FEF3700000-0x000007FEF4123000-memory.dmpFilesize
10.1MB
-
memory/1804-89-0x000007FEF2BA0000-0x000007FEF36FD000-memory.dmpFilesize
11.4MB
-
memory/1804-96-0x00000000028DB000-0x00000000028FA000-memory.dmpFilesize
124KB
-
memory/1804-95-0x00000000028D4000-0x00000000028D7000-memory.dmpFilesize
12KB
-
memory/1804-94-0x00000000028DB000-0x00000000028FA000-memory.dmpFilesize
124KB
-
memory/1804-92-0x000000001B710000-0x000000001BA0F000-memory.dmpFilesize
3.0MB
-
memory/1804-85-0x0000000000000000-mapping.dmp
-
memory/1804-91-0x00000000028D4000-0x00000000028D7000-memory.dmpFilesize
12KB
-
memory/1836-83-0x0000000000000000-mapping.dmp
-
memory/1976-81-0x0000000000000000-mapping.dmp
-
memory/1996-84-0x0000000000000000-mapping.dmp
-
memory/2020-57-0x000000001B7F0000-0x000000001BAEF000-memory.dmpFilesize
3.0MB
-
memory/2020-60-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/2020-61-0x00000000028EB000-0x000000000290A000-memory.dmpFilesize
124KB
-
memory/2020-56-0x000007FEF3540000-0x000007FEF409D000-memory.dmpFilesize
11.4MB
-
memory/2020-58-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/2020-55-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmpFilesize
10.1MB
-
memory/2020-54-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmpFilesize
8KB
-
memory/2020-59-0x00000000028EB000-0x000000000290A000-memory.dmpFilesize
124KB
-
memory/2020-75-0x00000000028EB000-0x000000000290A000-memory.dmpFilesize
124KB