Overview

overview

10

Static

static

file01.ps1

windows7-x64

10

file01.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file01.ps1

  • Size

    833KB

  • MD5

    3cc5a223552109e539cbe5ef1fa5e5fe

  • SHA1

    73ae5666483ca262a772ff39a4ca867290934054

  • SHA256

    085d23a18c1dc923aaaa53ead881862faadaf2cd49114fe2ea5d85a3d7d5a9f3

  • SHA512

    3e6be56204400bd1535c655208ad881f01f038ab345aceac8a692f4d59f0d951ed923bd76d598c07f0d5ae7d6a24e984eafaafe68b9b20755cdc160b5e93ff1e

  • SSDEEP

    12288:vX4HnACkasep8iiShRNiXPCkwT0AV4igtsfsZTMursfV5yqhrzcJMrqLtPw5Cc/D:vXe7

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"
        3⤵
          PID:560
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:1984
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:1796
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
            4⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1180

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1
      Filesize

      824KB

      MD5

      72fae1336dddec90ae79e72cdecff348

      SHA1

      944938aa9e7b9e0a7be0652ef5f655044ccc7743

      SHA256

      a3e20bea0a9e6b98852b03d67c55191a3b290a1ee9ccacfa6aab057fa7c53de3

      SHA512

      b8636517f54acc11b019d6263abe495ab46ffcbcaffb79c0ea29faa6bbe8ca9077f50a0ee36f6cad4cc19696a0328b9db7ba5b05d08163b53b100d6dff6df9be

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      Filesize

      706B

      MD5

      5f47e284245ee4f81f03eb432c946a88

      SHA1

      0a95478eafa3e994bf3e6e166b4a43ba9d63fe2e

      SHA256

      a749e67a7b277f33e03aa41b2dc19d09e7bebdb45ebe2c686ed410ed80980090

      SHA512

      f41c1717f966513dfdea116d171fcbb964b3ddff37df8466e73c887fbbd8521832a111e63ef2b00a95b6dba8e293ca6b196f16018a88f4534e751832092ead2b

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1
      Filesize

      3KB

      MD5

      67a502ba0f7e94457ee7a901066e176c

      SHA1

      09b7a7edafcb084398270e46689853dc1bb56fd9

      SHA256

      127cb052f9cc719b08bc165b04f4a54c6c616981370f21025b39139c9b8abd87

      SHA512

      5810cc4c466d1e16dedb5ef02fd416e343e3772442b0e06b8e2b8fbdd696f06374b14a2776f4e39b9071884457d49892d71db141377b8b53257fa4ccf29d2c4c

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs
      Filesize

      2KB

      MD5

      50868a55a1f3c71fec65535055a9ce84

      SHA1

      485524c1b3cd4bda27cede63bb11d120b2b0d134

      SHA256

      966b292093b03191aa3855a053f2f6150f2e9a84d507438e08260992a921f579

      SHA512

      5f3491b4135339a5e63b85e2a47a69c31be44fc9a2eb281153f40ce9ce400e59bce70dcee7b4ef2473e2cb11589b21905cecfad919107d2fa76dc73605326feb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      ae83fd897dac1959d321d157048892cf

      SHA1

      140e10c9379a940471264712ea6889e89aaae543

      SHA256

      e79ebb123b2721015c2a7977a3adf0f1157906cc26e02d794604799b5c13b0f6

      SHA512

      f2a90889212a381ae74394ced1449b3423c08951e4af9080329d26a1046a1a7a24d08b935d2e9861c853d35eacf49ddf7ed2d0084f1a66e43215fae4bb17d63a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      93adcdb00bfebeb1e3596e9d147edb12

      SHA1

      10665a460626c2a2832e0b1e395b9957966b0d22

      SHA256

      7e82f4d5fbd56855892faf6284a1fc9b6461f5ff0785a6deb2a283e1077d506b

      SHA512

      a8f5f8142ebc64d67d7b2bcf3bb4572a08e5101591dc9ddc16b32666b7cd055b0b6a639b49e3c43ee04dee63d46f175c237a58ec32a36095a955989825e15b5e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      93adcdb00bfebeb1e3596e9d147edb12

      SHA1

      10665a460626c2a2832e0b1e395b9957966b0d22

      SHA256

      7e82f4d5fbd56855892faf6284a1fc9b6461f5ff0785a6deb2a283e1077d506b

      SHA512

      a8f5f8142ebc64d67d7b2bcf3bb4572a08e5101591dc9ddc16b32666b7cd055b0b6a639b49e3c43ee04dee63d46f175c237a58ec32a36095a955989825e15b5e

      Download Submit
    • memory/560-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1088-82-0x00000000027B4000-0x00000000027B7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1088-77-0x000007FEF38C0000-0x000007FEF42E3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1088-83-0x00000000027BB000-0x00000000027DA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1088-79-0x000000001B740000-0x000000001BA3F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1088-78-0x000007FEF2D60000-0x000007FEF38BD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1088-97-0x00000000027BB000-0x00000000027DA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1180-92-0x0000000002504000-0x0000000002507000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1180-87-0x0000000000000000-mapping.dmp
      Download
    • memory/1180-93-0x000000001B700000-0x000000001B9FF000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1180-90-0x000007FEF38C0000-0x000007FEF42E3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1180-95-0x0000000002504000-0x0000000002507000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1180-91-0x000007FEF2D60000-0x000007FEF38BD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1180-96-0x000000000250B000-0x000000000252A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1192-65-0x000007FEF4260000-0x000007FEF4C83000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1192-66-0x000007FEF3700000-0x000007FEF425D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1192-73-0x00000000026FB000-0x000000000271A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1192-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1192-72-0x00000000026FB000-0x000000000271A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1192-71-0x00000000026F4000-0x00000000026F7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1192-67-0x000000001B7A0000-0x000000001BA9F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1376-61-0x000000000270B000-0x000000000272A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1376-54-0x000007FEFBC01000-0x000007FEFBC03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1376-74-0x000000000270B000-0x000000000272A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1376-60-0x0000000002704000-0x0000000002707000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1376-59-0x000000000270B000-0x000000000272A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1376-58-0x000000001B710000-0x000000001BA0F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1376-56-0x000007FEF3700000-0x000007FEF425D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1376-57-0x0000000002704000-0x0000000002707000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1376-55-0x000007FEF4260000-0x000007FEF4C83000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1464-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-86-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-84-0x0000000000000000-mapping.dmp
      Download