Analysis
-
max time kernel
91s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 23:35
Static task
static1
Behavioral task
behavioral1
Sample
file01.ps1
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file01.ps1
Resource
win10v2004-20220812-en
General
-
Target
file01.ps1
-
Size
541KB
-
MD5
8b1e1389854e7efed04472288a9445d8
-
SHA1
9cb77f0e0e7c1276d684e88c384155ee9504fe1a
-
SHA256
21d2842bf7e9b12dec350a2fdb9a8185c3ec1e07d27d631e2ed5909065c22551
-
SHA512
2edc673d0df9933ce2f13f24e435edb743de5b334b5abbdfaa9ad3f63170643804c6ac945d5a98d4422ccbcd1abd039202cc94b3468c4f2919f0cda85061a926
-
SSDEEP
12288:vXi4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6d7:vXa7
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POWERSHELL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 632 POWERSHELL.exe -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2160-155-0x000000000042060E-mapping.dmp family_snakekeylogger behavioral2/memory/2160-160-0x0000000000180000-0x00000000001A6000-memory.dmp family_snakekeylogger -
Registers COM server for autorun 1 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1548 set thread context of 2160 1548 powershell.exe aspnet_compiler.exe -
Modifies registry class 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exePOWERSHELL.exepowershell.exeaspnet_compiler.exepid process 4864 powershell.exe 4864 powershell.exe 3532 powershell.exe 3532 powershell.exe 4664 POWERSHELL.exe 4664 POWERSHELL.exe 1548 powershell.exe 1548 powershell.exe 2160 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exePOWERSHELL.exedescription pid process Token: SeDebugPrivilege 4864 powershell.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeDebugPrivilege 4664 POWERSHELL.exe Token: SeIncreaseQuotaPrivilege 3532 powershell.exe Token: SeSecurityPrivilege 3532 powershell.exe Token: SeTakeOwnershipPrivilege 3532 powershell.exe Token: SeLoadDriverPrivilege 3532 powershell.exe Token: SeSystemProfilePrivilege 3532 powershell.exe Token: SeSystemtimePrivilege 3532 powershell.exe Token: SeProfSingleProcessPrivilege 3532 powershell.exe Token: SeIncBasePriorityPrivilege 3532 powershell.exe Token: SeCreatePagefilePrivilege 3532 powershell.exe Token: SeBackupPrivilege 3532 powershell.exe Token: SeRestorePrivilege 3532 powershell.exe Token: SeShutdownPrivilege 3532 powershell.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeSystemEnvironmentPrivilege 3532 powershell.exe Token: SeRemoteShutdownPrivilege 3532 powershell.exe Token: SeUndockPrivilege 3532 powershell.exe Token: SeManageVolumePrivilege 3532 powershell.exe Token: 33 3532 powershell.exe Token: 34 3532 powershell.exe Token: 35 3532 powershell.exe Token: 36 3532 powershell.exe Token: SeIncreaseQuotaPrivilege 3532 powershell.exe Token: SeSecurityPrivilege 3532 powershell.exe Token: SeTakeOwnershipPrivilege 3532 powershell.exe Token: SeLoadDriverPrivilege 3532 powershell.exe Token: SeSystemProfilePrivilege 3532 powershell.exe Token: SeSystemtimePrivilege 3532 powershell.exe Token: SeProfSingleProcessPrivilege 3532 powershell.exe Token: SeIncBasePriorityPrivilege 3532 powershell.exe Token: SeCreatePagefilePrivilege 3532 powershell.exe Token: SeBackupPrivilege 3532 powershell.exe Token: SeRestorePrivilege 3532 powershell.exe Token: SeShutdownPrivilege 3532 powershell.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeSystemEnvironmentPrivilege 3532 powershell.exe Token: SeRemoteShutdownPrivilege 3532 powershell.exe Token: SeUndockPrivilege 3532 powershell.exe Token: SeManageVolumePrivilege 3532 powershell.exe Token: 33 3532 powershell.exe Token: 34 3532 powershell.exe Token: 35 3532 powershell.exe Token: 36 3532 powershell.exe Token: SeIncreaseQuotaPrivilege 3532 powershell.exe Token: SeSecurityPrivilege 3532 powershell.exe Token: SeTakeOwnershipPrivilege 3532 powershell.exe Token: SeLoadDriverPrivilege 3532 powershell.exe Token: SeSystemProfilePrivilege 3532 powershell.exe Token: SeSystemtimePrivilege 3532 powershell.exe Token: SeProfSingleProcessPrivilege 3532 powershell.exe Token: SeIncBasePriorityPrivilege 3532 powershell.exe Token: SeCreatePagefilePrivilege 3532 powershell.exe Token: SeBackupPrivilege 3532 powershell.exe Token: SeRestorePrivilege 3532 powershell.exe Token: SeShutdownPrivilege 3532 powershell.exe Token: SeDebugPrivilege 3532 powershell.exe Token: SeSystemEnvironmentPrivilege 3532 powershell.exe Token: SeRemoteShutdownPrivilege 3532 powershell.exe Token: SeUndockPrivilege 3532 powershell.exe Token: SeManageVolumePrivilege 3532 powershell.exe Token: 33 3532 powershell.exe Token: 34 3532 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
powershell.exepowershell.exePOWERSHELL.execmd.execmd.exepowershell.exedescription pid process target process PID 4864 wrote to memory of 3532 4864 powershell.exe powershell.exe PID 4864 wrote to memory of 3532 4864 powershell.exe powershell.exe PID 3532 wrote to memory of 1384 3532 powershell.exe WScript.exe PID 3532 wrote to memory of 1384 3532 powershell.exe WScript.exe PID 4664 wrote to memory of 4652 4664 POWERSHELL.exe cmd.exe PID 4664 wrote to memory of 4652 4664 POWERSHELL.exe cmd.exe PID 4652 wrote to memory of 3976 4652 cmd.exe reg.exe PID 4652 wrote to memory of 3976 4652 cmd.exe reg.exe PID 4652 wrote to memory of 728 4652 cmd.exe reg.exe PID 4652 wrote to memory of 728 4652 cmd.exe reg.exe PID 4652 wrote to memory of 4828 4652 cmd.exe cmd.exe PID 4652 wrote to memory of 4828 4652 cmd.exe cmd.exe PID 4828 wrote to memory of 1548 4828 cmd.exe powershell.exe PID 4828 wrote to memory of 1548 4828 cmd.exe powershell.exe PID 1548 wrote to memory of 2160 1548 powershell.exe aspnet_compiler.exe PID 1548 wrote to memory of 2160 1548 powershell.exe aspnet_compiler.exe PID 1548 wrote to memory of 2160 1548 powershell.exe aspnet_compiler.exe PID 1548 wrote to memory of 2160 1548 powershell.exe aspnet_compiler.exe PID 1548 wrote to memory of 2160 1548 powershell.exe aspnet_compiler.exe PID 1548 wrote to memory of 2160 1548 powershell.exe aspnet_compiler.exe PID 1548 wrote to memory of 2160 1548 powershell.exe aspnet_compiler.exe PID 1548 wrote to memory of 2160 1548 powershell.exe aspnet_compiler.exe -
outlook_office_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1Filesize
531KB
MD5da701326299f1b03fdedec3275a8a1cb
SHA1668822c65bfbe6b20ea53ff2e0a1bc27b13e16c4
SHA256afd512f0bf829f866e0db57b89d52ece8c2e10944d8f5c314c9163857a02deee
SHA512107812fa6fd40449733aa2d94c196f7c736afcfdfdd212014f2ece7747c4596a4083c4f6b5176dae0eb3462d0c70ef939d7fae4420fe1d95dc9eca1105e2ac9f
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.batFilesize
706B
MD55f47e284245ee4f81f03eb432c946a88
SHA10a95478eafa3e994bf3e6e166b4a43ba9d63fe2e
SHA256a749e67a7b277f33e03aa41b2dc19d09e7bebdb45ebe2c686ed410ed80980090
SHA512f41c1717f966513dfdea116d171fcbb964b3ddff37df8466e73c887fbbd8521832a111e63ef2b00a95b6dba8e293ca6b196f16018a88f4534e751832092ead2b
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1Filesize
3KB
MD567a502ba0f7e94457ee7a901066e176c
SHA109b7a7edafcb084398270e46689853dc1bb56fd9
SHA256127cb052f9cc719b08bc165b04f4a54c6c616981370f21025b39139c9b8abd87
SHA5125810cc4c466d1e16dedb5ef02fd416e343e3772442b0e06b8e2b8fbdd696f06374b14a2776f4e39b9071884457d49892d71db141377b8b53257fa4ccf29d2c4c
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbsFilesize
2KB
MD550868a55a1f3c71fec65535055a9ce84
SHA1485524c1b3cd4bda27cede63bb11d120b2b0d134
SHA256966b292093b03191aa3855a053f2f6150f2e9a84d507438e08260992a921f579
SHA5125f3491b4135339a5e63b85e2a47a69c31be44fc9a2eb281153f40ce9ce400e59bce70dcee7b4ef2473e2cb11589b21905cecfad919107d2fa76dc73605326feb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD595e1c8db6eb5be60fa7c5f7ca36bfaed
SHA15b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9
SHA2563b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18
SHA512de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD555263022bc9d9761db86e6dd7cd852a7
SHA14e071c0f4059c5c763a0832f714e4dafcfc2a574
SHA2566df1b5a88fca88a99c24ed36bc5e860ce95cb6efaf57775fc3b3fbf8360aa52c
SHA512f4200dbd37e3f2b0d20fa9923ac54f3eed7435dd74c930f9887f388a749c0f7fc3fcf4ddbb62b343e5ce3832d991899f5d9cd98323aa823187f30baa91d9fa63
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
memory/728-144-0x0000000000000000-mapping.dmp
-
memory/1384-138-0x0000000000000000-mapping.dmp
-
memory/1548-157-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB
-
memory/1548-146-0x0000000000000000-mapping.dmp
-
memory/1548-147-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB
-
memory/1548-153-0x0000029A71D10000-0x0000029A71D2A000-memory.dmpFilesize
104KB
-
memory/2160-160-0x0000000000180000-0x00000000001A6000-memory.dmpFilesize
152KB
-
memory/2160-161-0x00000000050A0000-0x0000000005644000-memory.dmpFilesize
5.6MB
-
memory/2160-162-0x0000000004AF0000-0x0000000004B8C000-memory.dmpFilesize
624KB
-
memory/2160-163-0x0000000005C90000-0x0000000005E52000-memory.dmpFilesize
1.8MB
-
memory/2160-164-0x0000000005E60000-0x0000000005EF2000-memory.dmpFilesize
584KB
-
memory/2160-165-0x0000000005C10000-0x0000000005C1A000-memory.dmpFilesize
40KB
-
memory/2160-155-0x000000000042060E-mapping.dmp
-
memory/3532-148-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB
-
memory/3532-137-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB
-
memory/3532-135-0x0000000000000000-mapping.dmp
-
memory/3976-143-0x0000000000000000-mapping.dmp
-
memory/4652-141-0x0000000000000000-mapping.dmp
-
memory/4664-159-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB
-
memory/4664-140-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB
-
memory/4828-145-0x0000000000000000-mapping.dmp
-
memory/4864-152-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB
-
memory/4864-132-0x0000024DA5790000-0x0000024DA57B2000-memory.dmpFilesize
136KB
-
memory/4864-134-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB
-
memory/4864-133-0x00007FFED97F0000-0x00007FFEDA2B1000-memory.dmpFilesize
10.8MB