5a986b4ea7640b887fbef842e3cf0adcd6aa16482c98ccd6db5a99e726205b3a

General

Target

3.ps1
Size

1.1MB
MD5

2c1d7f30313a38d84667c62442884b8b
SHA1

87a8523c468b51418acdd93ac866c4ffeb038f09
SHA256

5a986b4ea7640b887fbef842e3cf0adcd6aa16482c98ccd6db5a99e726205b3a
SHA512

c12f02092a9f45d3fa51d3a681d10fe6f331439783a18b05db6fc8130f62ef7a8644c84af4c0532693cd43dca9c81b96c12735c2ea7d9e28203f5e2e1c8d0755
SSDEEP

12288:1ViPI6z8ay43NxSz0kmLoL2xfZe0I8nU8ECxKFajz:PINi0kmLF5I8z

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

WScript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helloitsindian.vbs WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2036 schtasks.exe
1984 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

960 powershell.exe
700 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 960 powershell.exe
Token: SeDebugPrivilege 700 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\helloitsindian.vbs	WScript.exe

pid	process
2036	schtasks.exe
1984	schtasks.exe

pid	process
960	powershell.exe
700	powershell.exe

description	pid	process
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

powershell.exeWScript.execmd.exeWScript.exe

description	pid	process	target process
PID 960 wrote to memory of 1636	960	powershell.exe	WScript.exe
PID 960 wrote to memory of 1636	960	powershell.exe	WScript.exe
PID 960 wrote to memory of 1636	960	powershell.exe	WScript.exe
PID 1636 wrote to memory of 2020	1636	WScript.exe	WScript.exe
PID 1636 wrote to memory of 2020	1636	WScript.exe	WScript.exe
PID 1636 wrote to memory of 2020	1636	WScript.exe	WScript.exe
PID 1636 wrote to memory of 1548	1636	WScript.exe	cmd.exe
PID 1636 wrote to memory of 1548	1636	WScript.exe	cmd.exe
PID 1636 wrote to memory of 1548	1636	WScript.exe	cmd.exe
PID 1548 wrote to memory of 700	1548	cmd.exe	powershell.exe
PID 1548 wrote to memory of 700	1548	cmd.exe	powershell.exe
PID 1548 wrote to memory of 700	1548	cmd.exe	powershell.exe
PID 2020 wrote to memory of 2036	2020	WScript.exe	schtasks.exe
PID 2020 wrote to memory of 2036	2020	WScript.exe	schtasks.exe
PID 2020 wrote to memory of 2036	2020	WScript.exe	schtasks.exe
PID 2020 wrote to memory of 1984	2020	WScript.exe	schtasks.exe
PID 2020 wrote to memory of 1984	2020	WScript.exe	schtasks.exe
PID 2020 wrote to memory of 1984	2020	WScript.exe	schtasks.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\holatyrimakachola\helloitsindian.vbs"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\holatyrimakachola\JIGIJIGI.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 120 /tn Appligation /F /tr "C:\ProgramData\holatyrimakachola\helloitsindian.vbs"
4⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 45 /tn ChromiumPluginupdate /F /tr "C:\ProgramData\holatyrimakachola\ChromeExtentionUpdate.vbs"
4⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\holatyrimakachola\JIGIJIGI.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\holatyrimakachola\GOLGAPORA.PS1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\holatyrimakachola\GOLGAPORA.PS1
Filesize
1.1MB

MD5
603bffe09d8f6c58499a83212f5febac

SHA1
f6616cdfbe8b06b5ee4f95cfee0ed15b74b59466

SHA256
d7fe1e3c8d18c2f992dfad7fabfb8f9907786eaca269dbc73593801c7474bd13

SHA512
788b7cd546c4557fdbbab8a5048f62838106e592836a9616f19cf82759b6486207912f8787ddf5465a4d5ec4d567776cab701b2c1e5b63980c9245ee51884346

Download Submit
C:\ProgramData\holatyrimakachola\JIGIJIGI.bat
Filesize
105B

MD5
7f53280ea46314479ed1d63b7d9625eb

SHA1
9a045c31da18e934b1ca4ce27b72daf0cbbd87fe

SHA256
88bc996293478f62bb28814b1787c278a6dc0ed20fe8b11e3f644985b6514459

SHA512
275868f4214bc8b874ec857f8938fc35fb77ef025596e1e0cdbea2d231864bec8c4ae09fb557c8dcbe95131c10962cc11744b210f1ec0c111db663fa27a7dbf3

Download Submit
C:\ProgramData\holatyrimakachola\JIGIJIGI.vbs
Filesize
562B

MD5
8ea0ee4f4d6ccbabe4117cdd6f974011

SHA1
3271a608993c307046b3185c9a21d434d39fb19c

SHA256
cfed6df2d13d6a842032d23d0b12429ca0ddb4ef2bba89f096a05ba44516c620

SHA512
5b10ff90b6560956670c85f33266384f4ed401845e137e356ff15e4d613a6a6cc6ff42e68ccde85e0c49d58b7c20f25132ece60a2b60977dd1b3066e59cca61e

Download Submit
C:\ProgramData\holatyrimakachola\helloitsindian.vbs
Filesize
387B

MD5
f0ca1358f7cbc07ffadcdcbb09a8096e

SHA1
a1839290fb16f5ccfbcbeec71bcfa4afaa842eaa

SHA256
b964c3f6be44ac474f116783e4ca950b909109ff7ea1cf9db9a879a29beeae43

SHA512
60fe0ab41793a5fd89a5ffad088a46b0cc8c4db06b8180446e1a4d036c7f81faf35fa726bc9f7b4231b99946ac3c99ae659b4e5a7611e10da2d86344fa620d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
078fb8eb8c04cad6f294f6b7ce70b16d

SHA1
0f9c8c3d1114ff16df03c488c07bf5a492caf3e7

SHA256
94d2c38894d82599a60cae1b0a1a1adc6a60766fe520054365460f90a36114c4

SHA512
6a28fbb4ddcc99b9ff42ae4b4e98be8f13b02e0e35e65ec72798eebfbad1347e53ef14dfc617e67ec7b65f937dcb5bc8582225a776a95c14506324da35104731

Download Submit
memory/700-73-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/700-72-0x000007FEF3150000-0x000007FEF3CAD000-memory.dmp

Filesize
11.4MB

Download
memory/700-78-0x00000000029DB000-0x00000000029FA000-memory.dmp

Filesize
124KB

Download
memory/700-71-0x000007FEF3CB0000-0x000007FEF46D3000-memory.dmp

Filesize
10.1MB

Download
memory/700-68-0x0000000000000000-mapping.dmp

Download
memory/700-79-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/960-58-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/960-61-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/960-60-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/960-54-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/960-57-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/960-56-0x000007FEF3AF0000-0x000007FEF464D000-memory.dmp

Filesize
11.4MB

Download
memory/960-55-0x000007FEF4650000-0x000007FEF5073000-memory.dmp

Filesize
10.1MB

Download
memory/1548-67-0x0000000000000000-mapping.dmp

Download
memory/1636-59-0x0000000000000000-mapping.dmp

Download
memory/1984-77-0x0000000000000000-mapping.dmp

Download
memory/2020-65-0x0000000000000000-mapping.dmp

Download
memory/2036-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads