Overview

overview

10

Static

static

blessed1.ps1

windows7-x64

10

blessed1.ps1

windows10-2004-x64

10

Resubmissions

16-03-2023 18:25

230316-w2mwcaee8s 10

30-09-2022 08:58

220930-kxf2fsdah5 10

Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    blessed1.ps1

  • Size

    540KB

  • MD5

    297b8e10650755c2076d5ea6c298d7b5

  • SHA1

    3ef255b390d42017069762e5b2f068a2dbb5bfe5

  • SHA256

    3db43c5dc157dc3380f32a9814c1e590a1cb1fe0e9ba35706e56888de9230b4c

  • SHA512

    04fb650b1eb36296ac4b3ff7d80f0fa077214e899f9c6139bbec3f6b7ddee6980e15989b337f9f4f176e994a7a25f69e64c4921e814298eacb8baa82f9648b12

  • SSDEEP

    12288:VXD4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6YG:VXEG

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\blessed1.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"
        3⤵
          PID:828
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:472
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:1636
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:900
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
            4⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1260

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1
      Filesize

      531KB

      MD5

      cf926b0be724d46e228175953d33a988

      SHA1

      4b87320b4a3b75be7414f82e3cc83abed0f2123b

      SHA256

      3a0b71b1c003590b1eb5a0f5e5e1ccf5af14fca8a264ff1f01c153c2a3806e00

      SHA512

      349ac83e0e2e14c6e9089020ce2c8f07800381840ea5ea574bc6b9ccf67ab603112efb9188950d495f1c18ffd36096aaf6a74d5bbaddc7a3ab13bc24ca7b3b40

      Download Submit

    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      Filesize

      693B

      MD5

      5a52e1c0f7e19f6b96c875310238e048

      SHA1

      6a017b2933ffb51c025fce852abd0e356b0e2b1d

      SHA256

      14e860c94a8664901099340f7a4f97362a64ef149a53e5df31a5a4d383a51d2a

      SHA512

      ddeb3ffd4c2c88c264c6c3587a33ac229afd44ed3a82fcf244e3069e8e0a28be328fded4b40d438185ccacbefb5ccd5d1df40292be825b0f9587b63fbc781f5d

      Download Submit

    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1
      Filesize

      3KB

      MD5

      21df908f451a93e32692c2fe8b34162e

      SHA1

      25f4e917312bf21ad9289348b682a292e657cc4d

      SHA256

      ce05b804fdf14f27ab9617e55a7b431bba49325ae749a97a3ee9cff469b36e2e

      SHA512

      6f4d3f109fec3a9d92f36fae2d1eb2bea4c59dbe2b73e92e7f2175f2ca985b9c71f8905d4e6589d4cc010497403729bf7b718efb437f47fd819f16d74bea5ace

      Download Submit

    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs
      Filesize

      2KB

      MD5

      1f420d8b494afee108abdbdce860be6d

      SHA1

      06029153e26d9a107f5831ab001f3e43ae6d4aae

      SHA256

      51bfac3e3d2230f21591bd59362c2f657a69614ea893a64644879f3010540275

      SHA512

      bf1e5b622141bb19096f6b8674b92579d0a045f7919beebdcca57f620900836e43d06f17d938697924942b0746087ddad902129887b7da3788256c0a0356d217

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      467242afcd53c7eabfbf21a05876b9bd

      SHA1

      a4a5a364a775e9f50c4c2745f26a09f2d8962eaf

      SHA256

      fccb42e6872e248f85c5501d47a4c618ce95ffcf290594d88a6bce32bf428196

      SHA512

      97a69c1aad9fe4f758bc81c40c957db154b01ef93bd334c861dd6d0b76fbfdab06be22d1263e836408357285225df1f601ba3c5346897a4f2fd7678810b2a9c9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      f45794c7aa5ea325d5cb0dfdb084d859

      SHA1

      7e5215273a2b24a3834f98fff099a4a810debd3a

      SHA256

      9efdd7a90b0b5d58dd2c44ca698d8e9d76c8891ff35391b831dd5682217cb5d8

      SHA512

      ff0ec42054a1d54468ea8ca1553eb9fcaf17dc94ede87e00a33c3693c3c97baad0071007a047a9fdc0301cb0cf6d5169f77db39630c4905dd5d4c08f4a60a2b7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      467242afcd53c7eabfbf21a05876b9bd

      SHA1

      a4a5a364a775e9f50c4c2745f26a09f2d8962eaf

      SHA256

      fccb42e6872e248f85c5501d47a4c618ce95ffcf290594d88a6bce32bf428196

      SHA512

      97a69c1aad9fe4f758bc81c40c957db154b01ef93bd334c861dd6d0b76fbfdab06be22d1263e836408357285225df1f601ba3c5346897a4f2fd7678810b2a9c9

      Download Submit

    • memory/472-83-0x0000000000000000-mapping.dmp

      Download

    • memory/828-71-0x0000000000000000-mapping.dmp

      Download

    • memory/900-85-0x0000000000000000-mapping.dmp

      Download

    • memory/1048-65-0x000000000293B000-0x000000000295A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1048-57-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1048-55-0x000007FEF4830000-0x000007FEF5253000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1048-56-0x000007FEF3CD0000-0x000007FEF482D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1048-77-0x000000000293B000-0x000000000295A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1048-60-0x0000000002934000-0x0000000002937000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1048-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1048-59-0x000000000293B000-0x000000000295A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1048-58-0x0000000002934000-0x0000000002937000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1260-90-0x000007FEF4830000-0x000007FEF5253000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1260-91-0x000007FEF3CD0000-0x000007FEF482D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1260-87-0x0000000000000000-mapping.dmp

      Download

    • memory/1260-97-0x00000000029DB000-0x00000000029FA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1260-93-0x00000000029D4000-0x00000000029D7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1260-96-0x00000000029D4000-0x00000000029D7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1296-67-0x0000000002554000-0x0000000002557000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1296-64-0x000007FEF4830000-0x000007FEF5253000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1296-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1296-66-0x000007FEF3CD0000-0x000007FEF482D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1296-68-0x000000001B750000-0x000000001BA4F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1296-70-0x000000000255B000-0x000000000257A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1296-74-0x000000000255B000-0x000000000257A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1296-73-0x0000000002554000-0x0000000002557000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1328-86-0x0000000000000000-mapping.dmp

      Download

    • memory/1636-84-0x0000000000000000-mapping.dmp

      Download

    • memory/1704-78-0x000007FEF4830000-0x000007FEF5253000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1704-92-0x000000000292B000-0x000000000294A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1704-79-0x000007FEF3CD0000-0x000007FEF482D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1704-81-0x000000001B8A0000-0x000000001BB9F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1704-80-0x0000000002924000-0x0000000002927000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1704-98-0x0000000002924000-0x0000000002927000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1704-99-0x000000000292B000-0x000000000294A000-memory.dmp

      Filesize

      124KB

      Download