085d23a18c1dc923aaaa53ead881862faadaf2cd49114fe2ea5d85a3d7d5a9f3

General

Target

file01.ps1
Size

833KB
MD5

3cc5a223552109e539cbe5ef1fa5e5fe
SHA1

73ae5666483ca262a772ff39a4ca867290934054
SHA256

085d23a18c1dc923aaaa53ead881862faadaf2cd49114fe2ea5d85a3d7d5a9f3
SHA512

3e6be56204400bd1535c655208ad881f01f038ab345aceac8a692f4d59f0d951ed923bd76d598c07f0d5ae7d6a24e984eafaafe68b9b20755cdc160b5e93ff1e
SSDEEP

12288:vX4HnACkasep8iiShRNiXPCkwT0AV4igtsfsZTMursfV5yqhrzcJMrqLtPw5Cc/D:vXe7

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	756	POWERSHELL.exe	30

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWERSHELL.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1984	reg.exe
1796	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1376	powershell.exe
1192	powershell.exe
1088	POWERSHELL.exe
1180	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1088	POWERSHELL.exe
Token: SeDebugPrivilege	1180	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1192	1376	powershell.exe	28
PID 1376 wrote to memory of 1192	1376	powershell.exe	28
PID 1376 wrote to memory of 1192	1376	powershell.exe	28
PID 1192 wrote to memory of 560	1192	powershell.exe	29
PID 1192 wrote to memory of 560	1192	powershell.exe	29
PID 1192 wrote to memory of 560	1192	powershell.exe	29
PID 1088 wrote to memory of 1464	1088	POWERSHELL.exe	33
PID 1088 wrote to memory of 1464	1088	POWERSHELL.exe	33
PID 1088 wrote to memory of 1464	1088	POWERSHELL.exe	33
PID 1464 wrote to memory of 1984	1464	cmd.exe	34
PID 1464 wrote to memory of 1984	1464	cmd.exe	34
PID 1464 wrote to memory of 1984	1464	cmd.exe	34
PID 1464 wrote to memory of 1796	1464	cmd.exe	35
PID 1464 wrote to memory of 1796	1464	cmd.exe	35
PID 1464 wrote to memory of 1796	1464	cmd.exe	35
PID 1464 wrote to memory of 1668	1464	cmd.exe	36
PID 1464 wrote to memory of 1668	1464	cmd.exe	36
PID 1464 wrote to memory of 1668	1464	cmd.exe	36
PID 1668 wrote to memory of 1180	1668	cmd.exe	37
PID 1668 wrote to memory of 1180	1668	cmd.exe	37
PID 1668 wrote to memory of 1180	1668	cmd.exe	37

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"
    3⤵
    PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:1984
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    - Modifies registry key
    PID:1796
- - C:\Windows\system32\cmd.exe
    cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1

Filesize
824KB

MD5
72fae1336dddec90ae79e72cdecff348

SHA1
944938aa9e7b9e0a7be0652ef5f655044ccc7743

SHA256
a3e20bea0a9e6b98852b03d67c55191a3b290a1ee9ccacfa6aab057fa7c53de3

SHA512
b8636517f54acc11b019d6263abe495ab46ffcbcaffb79c0ea29faa6bbe8ca9077f50a0ee36f6cad4cc19696a0328b9db7ba5b05d08163b53b100d6dff6df9be

Download Submit
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat

Filesize
706B

MD5
5f47e284245ee4f81f03eb432c946a88

SHA1
0a95478eafa3e994bf3e6e166b4a43ba9d63fe2e

SHA256
a749e67a7b277f33e03aa41b2dc19d09e7bebdb45ebe2c686ed410ed80980090

SHA512
f41c1717f966513dfdea116d171fcbb964b3ddff37df8466e73c887fbbd8521832a111e63ef2b00a95b6dba8e293ca6b196f16018a88f4534e751832092ead2b

Download Submit
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1

Filesize
3KB

MD5
67a502ba0f7e94457ee7a901066e176c

SHA1
09b7a7edafcb084398270e46689853dc1bb56fd9

SHA256
127cb052f9cc719b08bc165b04f4a54c6c616981370f21025b39139c9b8abd87

SHA512
5810cc4c466d1e16dedb5ef02fd416e343e3772442b0e06b8e2b8fbdd696f06374b14a2776f4e39b9071884457d49892d71db141377b8b53257fa4ccf29d2c4c

Download Submit
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs

Filesize
2KB

MD5
50868a55a1f3c71fec65535055a9ce84

SHA1
485524c1b3cd4bda27cede63bb11d120b2b0d134

SHA256
966b292093b03191aa3855a053f2f6150f2e9a84d507438e08260992a921f579

SHA512
5f3491b4135339a5e63b85e2a47a69c31be44fc9a2eb281153f40ce9ce400e59bce70dcee7b4ef2473e2cb11589b21905cecfad919107d2fa76dc73605326feb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae83fd897dac1959d321d157048892cf

SHA1
140e10c9379a940471264712ea6889e89aaae543

SHA256
e79ebb123b2721015c2a7977a3adf0f1157906cc26e02d794604799b5c13b0f6

SHA512
f2a90889212a381ae74394ced1449b3423c08951e4af9080329d26a1046a1a7a24d08b935d2e9861c853d35eacf49ddf7ed2d0084f1a66e43215fae4bb17d63a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
93adcdb00bfebeb1e3596e9d147edb12

SHA1
10665a460626c2a2832e0b1e395b9957966b0d22

SHA256
7e82f4d5fbd56855892faf6284a1fc9b6461f5ff0785a6deb2a283e1077d506b

SHA512
a8f5f8142ebc64d67d7b2bcf3bb4572a08e5101591dc9ddc16b32666b7cd055b0b6a639b49e3c43ee04dee63d46f175c237a58ec32a36095a955989825e15b5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
93adcdb00bfebeb1e3596e9d147edb12

SHA1
10665a460626c2a2832e0b1e395b9957966b0d22

SHA256
7e82f4d5fbd56855892faf6284a1fc9b6461f5ff0785a6deb2a283e1077d506b

SHA512
a8f5f8142ebc64d67d7b2bcf3bb4572a08e5101591dc9ddc16b32666b7cd055b0b6a639b49e3c43ee04dee63d46f175c237a58ec32a36095a955989825e15b5e

Download Submit
memory/1088-82-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1088-77-0x000007FEF38C0000-0x000007FEF42E3000-memory.dmp

Filesize
10.1MB

Download
memory/1088-83-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1088-79-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1088-78-0x000007FEF2D60000-0x000007FEF38BD000-memory.dmp

Filesize
11.4MB

Download
memory/1088-97-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1180-92-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1180-93-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1180-90-0x000007FEF38C0000-0x000007FEF42E3000-memory.dmp

Filesize
10.1MB

Download
memory/1180-95-0x0000000002504000-0x0000000002507000-memory.dmp

Filesize
12KB

Download
memory/1180-91-0x000007FEF2D60000-0x000007FEF38BD000-memory.dmp

Filesize
11.4MB

Download
memory/1180-96-0x000000000250B000-0x000000000252A000-memory.dmp

Filesize
124KB

Download
memory/1192-65-0x000007FEF4260000-0x000007FEF4C83000-memory.dmp

Filesize
10.1MB

Download
memory/1192-66-0x000007FEF3700000-0x000007FEF425D000-memory.dmp

Filesize
11.4MB

Download
memory/1192-73-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/1192-72-0x00000000026FB000-0x000000000271A000-memory.dmp

Filesize
124KB

Download
memory/1192-71-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/1192-67-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1376-61-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1376-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp

Filesize
8KB

Download
memory/1376-74-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1376-60-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/1376-59-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1376-58-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1376-56-0x000007FEF3700000-0x000007FEF425D000-memory.dmp

Filesize
11.4MB

Download
memory/1376-57-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/1376-55-0x000007FEF4260000-0x000007FEF4C83000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing