Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
30-09-2022 23:35
General
-
Target
file01.ps1
-
Size
541KB
-
MD5
8b1e1389854e7efed04472288a9445d8
-
SHA1
9cb77f0e0e7c1276d684e88c384155ee9504fe1a
-
SHA256
21d2842bf7e9b12dec350a2fdb9a8185c3ec1e07d27d631e2ed5909065c22551
-
SHA512
2edc673d0df9933ce2f13f24e435edb743de5b334b5abbdfaa9ad3f63170643804c6ac945d5a98d4422ccbcd1abd039202cc94b3468c4f2919f0cda85061a926
-
SSDEEP
12288:vXi4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6d7:vXa7
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Registers COM server for autorun 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Modifies registry class 4 IoCs
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1Filesize
531KB
MD5da701326299f1b03fdedec3275a8a1cb
SHA1668822c65bfbe6b20ea53ff2e0a1bc27b13e16c4
SHA256afd512f0bf829f866e0db57b89d52ece8c2e10944d8f5c314c9163857a02deee
SHA512107812fa6fd40449733aa2d94c196f7c736afcfdfdd212014f2ece7747c4596a4083c4f6b5176dae0eb3462d0c70ef939d7fae4420fe1d95dc9eca1105e2ac9f
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.batFilesize
706B
MD55f47e284245ee4f81f03eb432c946a88
SHA10a95478eafa3e994bf3e6e166b4a43ba9d63fe2e
SHA256a749e67a7b277f33e03aa41b2dc19d09e7bebdb45ebe2c686ed410ed80980090
SHA512f41c1717f966513dfdea116d171fcbb964b3ddff37df8466e73c887fbbd8521832a111e63ef2b00a95b6dba8e293ca6b196f16018a88f4534e751832092ead2b
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1Filesize
3KB
MD567a502ba0f7e94457ee7a901066e176c
SHA109b7a7edafcb084398270e46689853dc1bb56fd9
SHA256127cb052f9cc719b08bc165b04f4a54c6c616981370f21025b39139c9b8abd87
SHA5125810cc4c466d1e16dedb5ef02fd416e343e3772442b0e06b8e2b8fbdd696f06374b14a2776f4e39b9071884457d49892d71db141377b8b53257fa4ccf29d2c4c
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbsFilesize
2KB
MD550868a55a1f3c71fec65535055a9ce84
SHA1485524c1b3cd4bda27cede63bb11d120b2b0d134
SHA256966b292093b03191aa3855a053f2f6150f2e9a84d507438e08260992a921f579
SHA5125f3491b4135339a5e63b85e2a47a69c31be44fc9a2eb281153f40ce9ce400e59bce70dcee7b4ef2473e2cb11589b21905cecfad919107d2fa76dc73605326feb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5dd7d00c5c3e9e410097a9188d9b4042f
SHA100eff68353990d3968ef78dd5edb8bbaea52c457
SHA2562469cf7c98b80dad93dfde03ad576c49f04b614d06df898164bd4bc2b65e280e
SHA5124388d6cea90c4b8af1ea0ec2ab758cc2acf6663e6321d9a23a74b1d221d0cacda1d46ebd409a0c7143aacd5172f2d5fda81203d79d130089a428f722dbc3f591
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57975453ab9a269d5691071a12db5af84
SHA115278bbcad8c22ecf2d9320fbf71ff89a9cf3c76
SHA256a5bbeb88f557df49554d50a7132ccf22984bde30591f7026d8b948748812095d
SHA51279239617ed2a3dd7c3d30e3a5f9a3e64b69b8e0ab394dc6dde0250e0fca37f1bb99025f903d20851e0da24f1a9e88ebc2e47625eb55c14d917e96cbdae476e2c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57975453ab9a269d5691071a12db5af84
SHA115278bbcad8c22ecf2d9320fbf71ff89a9cf3c76
SHA256a5bbeb88f557df49554d50a7132ccf22984bde30591f7026d8b948748812095d
SHA51279239617ed2a3dd7c3d30e3a5f9a3e64b69b8e0ab394dc6dde0250e0fca37f1bb99025f903d20851e0da24f1a9e88ebc2e47625eb55c14d917e96cbdae476e2c
-
memory/396-84-0x0000000000000000-mapping.dmp
-
memory/552-65-0x000007FEF42F0000-0x000007FEF4D13000-memory.dmpFilesize
10.1MB
-
memory/552-73-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/552-74-0x000000000284B000-0x000000000286A000-memory.dmpFilesize
124KB
-
memory/552-66-0x000007FEF3790000-0x000007FEF42ED000-memory.dmpFilesize
11.4MB
-
memory/552-67-0x0000000002844000-0x0000000002847000-memory.dmpFilesize
12KB
-
memory/552-68-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/552-62-0x0000000000000000-mapping.dmp
-
memory/552-72-0x000000000284B000-0x000000000286A000-memory.dmpFilesize
124KB
-
memory/940-96-0x0000000001F14000-0x0000000001F17000-memory.dmpFilesize
12KB
-
memory/940-80-0x0000000001F14000-0x0000000001F17000-memory.dmpFilesize
12KB
-
memory/940-91-0x0000000001F1B000-0x0000000001F3A000-memory.dmpFilesize
124KB
-
memory/940-78-0x000007FEF4C90000-0x000007FEF56B3000-memory.dmpFilesize
10.1MB
-
memory/940-79-0x000007FEF4130000-0x000007FEF4C8D000-memory.dmpFilesize
11.4MB
-
memory/940-97-0x0000000001F1B000-0x0000000001F3A000-memory.dmpFilesize
124KB
-
memory/1436-76-0x000000000260B000-0x000000000262A000-memory.dmpFilesize
124KB
-
memory/1436-58-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1436-55-0x000007FEF42F0000-0x000007FEF4D13000-memory.dmpFilesize
10.1MB
-
memory/1436-61-0x000000000260B000-0x000000000262A000-memory.dmpFilesize
124KB
-
memory/1436-56-0x000007FEF3790000-0x000007FEF42ED000-memory.dmpFilesize
11.4MB
-
memory/1436-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmpFilesize
8KB
-
memory/1436-60-0x0000000002604000-0x0000000002607000-memory.dmpFilesize
12KB
-
memory/1436-57-0x0000000002604000-0x0000000002607000-memory.dmpFilesize
12KB
-
memory/1436-59-0x000000000260B000-0x000000000262A000-memory.dmpFilesize
124KB
-
memory/1544-85-0x0000000000000000-mapping.dmp
-
memory/1608-83-0x0000000000000000-mapping.dmp
-
memory/1720-82-0x0000000000000000-mapping.dmp
-
memory/1820-70-0x0000000000000000-mapping.dmp
-
memory/2028-90-0x000007FEF4130000-0x000007FEF4C8D000-memory.dmpFilesize
11.4MB
-
memory/2028-89-0x000007FEF4C90000-0x000007FEF56B3000-memory.dmpFilesize
10.1MB
-
memory/2028-92-0x00000000026F4000-0x00000000026F7000-memory.dmpFilesize
12KB
-
memory/2028-86-0x0000000000000000-mapping.dmp
-
memory/2028-94-0x00000000026F4000-0x00000000026F7000-memory.dmpFilesize
12KB
-
memory/2028-95-0x00000000026FB000-0x000000000271A000-memory.dmpFilesize
124KB