Overview

overview

10

Static

static

believe-se...xt.ps1

windows7-x64

10

believe-se...xt.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2022 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    believe-server.txt.ps1

  • Size

    255KB

  • MD5

    02d3b46db023e74bf34b36d336e283d8

  • SHA1

    fe8d8ebc03e50c39b3c38b6f9aad6e9ea6894528

  • SHA256

    aed50a5da5a71dbee227b9de4c9ee68ec20e9814928b16fb231784c3d45ef4a2

  • SHA512

    a1b259c6ff0ac4c108dfdf471e325f3938dcb3afe61308e75fe1058b4945076318d3403b36ac145682e53548f31e9260dba1b5e37c83a9476f2d338b4625d07a

  • SSDEEP

    6144:wRQRmeIR/ENCsO4/TzhUtZylDwc00ddPqWBYWUaOU8Y85TNkS:SX4PhU1cFPqWt987SS

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\believe-server.txt.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.vbs"
        3⤵
          PID:1784
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:468
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:1284
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1'"
            4⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1956

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat
      Filesize

      706B

      MD5

      c5dc49fe999bbd184028c2322216f34f

      SHA1

      6de54f03eaf77fe28e88f6ad461b37371da0db0c

      SHA256

      34bd396295ba567cc78dfa910e6e9db8d54b35df73a553c91a407f067bbe2241

      SHA512

      e30064f421f37310bb6a3156e1f54fe7cb7988bc26947ebef7d1933ba7b912077cc855ebb9d5da18aa5a8f92043c5cbab887212f9a5a9810e07eebfc23168454

      Download Submit
    • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.ps1
      Filesize

      3KB

      MD5

      c800c44beca2cfa73dc8113cb84e90d4

      SHA1

      aca79156fb80732bc556472574f04d40b3d4a0e2

      SHA256

      4f72092255c228f5c03546a3c351baae4f3bb9d6eb8aeb0c709c74da6ec9f09d

      SHA512

      e384d770f00c566d3246f0aa67b47033bad4713e0c5341e258b951e26bee4205ec9037732393b06b2966903f216dd0c55791c6d6c067a543c93de53cd126f466

      Download Submit
    • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.vbs
      Filesize

      2KB

      MD5

      6be2ca965d6ec7eed5fc2ca94c70be5d

      SHA1

      127a21034790b8f07a4c6c95b64b0253011df068

      SHA256

      a134febf91fe6fe748bfe937aefa809349f3c36a5791516d4cfc5bf7f2db9525

      SHA512

      da9a71167f22f394f72fbf153571b75dbce4642331f5d59b2f6cb7e4f64a3faf7267b188760e74d27804b70f55d83f3e44ae77a6344d80039d59658571d83565

      Download Submit
    • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1
      Filesize

      245KB

      MD5

      fd06e51c5842273d2ba148319aa3dfc3

      SHA1

      c00d3c04e7df097b91ec4fed303f26f42fb6cad2

      SHA256

      7b5de2dfec01f0d73344696e87954013144214a5bdb937c31b2029e4fb2d07aa

      SHA512

      beac6143b82668bd12171925f4b7d80cbe719adb0a5fd6eda19f8a9f1e3d7a287358a30d6e1b56ea16822ffc2aa81994b86a9dddb469012d737d72baf92005f4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      7fdcda568aa35710ce4ca68bc664e851

      SHA1

      718334fba5d3ac84148b159e76314d20e5412784

      SHA256

      f72a124d125dca9cade3d797f5b7a89f4475b88ad87bedca76ba34a0394eb226

      SHA512

      421ac7b3a3493b7a5bba5ffe1bfd9cf8a143c4c1ffd36064af953a21604fa240f62e2d534ee6e843b4368eb11b0160dfd03d80445b35467defaa642cf50ffdde

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      a85af1187f6d77ad6b0cd2beaa219f31

      SHA1

      08bdee3972c806dead6cfe62be30070397fc778e

      SHA256

      1a5cb1072283194f5d5f35279788c3a44275c67e63e4429f2e51d406262422d1

      SHA512

      a69fffd5c341e8c17e71612b9b893b46278d680dd87a8e78763472eef842fb126cfc259b2b09e8d3abed6365c34d914f55e80dc58a2ee045ab50d5060a6d3e40

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      a85af1187f6d77ad6b0cd2beaa219f31

      SHA1

      08bdee3972c806dead6cfe62be30070397fc778e

      SHA256

      1a5cb1072283194f5d5f35279788c3a44275c67e63e4429f2e51d406262422d1

      SHA512

      a69fffd5c341e8c17e71612b9b893b46278d680dd87a8e78763472eef842fb126cfc259b2b09e8d3abed6365c34d914f55e80dc58a2ee045ab50d5060a6d3e40

      Download Submit
    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • memory/468-83-0x0000000000000000-mapping.dmp
      Download
    • memory/948-86-0x0000000000000000-mapping.dmp
      Download
    • memory/1044-82-0x0000000000000000-mapping.dmp
      Download
    • memory/1080-84-0x00000000027FB000-0x000000000281A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1080-80-0x000000001B7B0000-0x000000001BAAF000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1080-97-0x00000000027F4000-0x00000000027F7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1080-78-0x00000000027F4000-0x00000000027F7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1080-79-0x000007FEF3940000-0x000007FEF449D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1080-98-0x00000000027FB000-0x000000000281A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1080-77-0x000007FEF44A0000-0x000007FEF4EC3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1232-65-0x000007FEF2FA0000-0x000007FEF3AFD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1232-64-0x000007FEF3B00000-0x000007FEF4523000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1232-73-0x000000000264B000-0x000000000266A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1232-72-0x0000000002644000-0x0000000002647000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1232-70-0x000000000264B000-0x000000000266A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1232-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1232-66-0x000000001B750000-0x000000001BA4F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1232-67-0x0000000002644000-0x0000000002647000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1284-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1784-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1956-91-0x000007FEF44A0000-0x000007FEF4EC3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1956-96-0x0000000001F5B000-0x0000000001F7A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1956-95-0x0000000001F54000-0x0000000001F57000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1956-87-0x0000000000000000-mapping.dmp
      Download
    • memory/1956-93-0x0000000001F54000-0x0000000001F57000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1956-92-0x000007FEF3940000-0x000007FEF449D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1992-60-0x000000000259B000-0x00000000025BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1992-58-0x000000000259B000-0x00000000025BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1992-59-0x0000000002594000-0x0000000002597000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1992-56-0x000007FEF2FA0000-0x000007FEF3AFD000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1992-54-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1992-76-0x000000000259B000-0x00000000025BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1992-57-0x0000000002594000-0x0000000002597000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1992-55-0x000007FEF3B00000-0x000007FEF4523000-memory.dmp
      Filesize

      10.1MB

      Download