Overview

overview

10

Static

static

chris-server.ps1

windows7-x64

10

chris-server.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2022 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    chris-server.ps1

  • Size

    255KB

  • MD5

    7a82388b85eb4abac99ef658d7b0d1cf

  • SHA1

    45cef26f5d4397ea8155857520a11a141ba465e2

  • SHA256

    44b973071a7a8b22ab1a3defe1b2ec8028c39de957180e9a71e09b48c0d8a641

  • SHA512

    2a112f190f56d9d2aad7e3b68369e45c89650334561ce9b7eca37a24e4b81089282b1889e9f0df501ae6c9f4430b686ec6a9c46d140740d002c143520c6dd723

  • SSDEEP

    6144:wRQRmeIR/ENCsO8cruAw9GH8dIhpk/Gkk4DwS:SXY7kHhpckLS

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\chris-server.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.vbs"
        3⤵
          PID:436
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:956
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:872
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1'"
            4⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:980

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.bat
      Filesize

      706B

      MD5

      c5dc49fe999bbd184028c2322216f34f

      SHA1

      6de54f03eaf77fe28e88f6ad461b37371da0db0c

      SHA256

      34bd396295ba567cc78dfa910e6e9db8d54b35df73a553c91a407f067bbe2241

      SHA512

      e30064f421f37310bb6a3156e1f54fe7cb7988bc26947ebef7d1933ba7b912077cc855ebb9d5da18aa5a8f92043c5cbab887212f9a5a9810e07eebfc23168454

      Download Submit
    • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.ps1
      Filesize

      3KB

      MD5

      c800c44beca2cfa73dc8113cb84e90d4

      SHA1

      aca79156fb80732bc556472574f04d40b3d4a0e2

      SHA256

      4f72092255c228f5c03546a3c351baae4f3bb9d6eb8aeb0c709c74da6ec9f09d

      SHA512

      e384d770f00c566d3246f0aa67b47033bad4713e0c5341e258b951e26bee4205ec9037732393b06b2966903f216dd0c55791c6d6c067a543c93de53cd126f466

      Download Submit
    • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\JZKPPKGTHBOIPSRKOCOKSH.vbs
      Filesize

      2KB

      MD5

      6be2ca965d6ec7eed5fc2ca94c70be5d

      SHA1

      127a21034790b8f07a4c6c95b64b0253011df068

      SHA256

      a134febf91fe6fe748bfe937aefa809349f3c36a5791516d4cfc5bf7f2db9525

      SHA512

      da9a71167f22f394f72fbf153571b75dbce4642331f5d59b2f6cb7e4f64a3faf7267b188760e74d27804b70f55d83f3e44ae77a6344d80039d59658571d83565

      Download Submit
    • C:\ProgramData\JZKPPKGTHBOIPSRKOCOKSH\RUCXFGHJUCVOFVUZVIPNCG.ps1
      Filesize

      245KB

      MD5

      9003c61627db62d6d2091d2b6383a630

      SHA1

      1b80514173761d3627d737b1e7dea52abb5c8761

      SHA256

      864e1a7757e96375629837f696cbf6ac1d3db941949dbdbaa52538ee0d4010da

      SHA512

      deb3db4961ec6d49a11ebc143a8d54c1c383dd27dd753638b766fd7877a27cd7c69de8bf8691b248f10f0bbee787f487fb1e6ff5fea5b3a0e3bdb6ddd16f3c33

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      fdacc790f1f30ad4fe7b7147bdaee510

      SHA1

      38ccd92de1bd43dca7f9e00786611600c5242e31

      SHA256

      7da3ff38ab1aeb1b9776e511dd85766001491ecbe742eecea867abe2643c75f4

      SHA512

      15f51a2e37c416068d226cbdedbaa3fe92094d7332e2050e41b6fc9fd44442efdb906f36f5b7fd062e66933a5e7578912c822993ffe281ef8fb823d5531b9744

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      75680edf91ef1c749ed80cd6f7d4f55c

      SHA1

      b0fd0271a50231e1dae17fb196bb97edd25683a8

      SHA256

      12c23de546333d757d9323dc3f19fc436b4018092bd05a7fd4d395c3bf6e940c

      SHA512

      0fdfcaacf4e902b6925a12f1ae1f381110c8d3c575f80f0a470b22f4543a467b8a1e7b572ea2f7e748ceb9c47cf7b1a603a0f54949591d3d5b80d493dcadcaee

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      fdacc790f1f30ad4fe7b7147bdaee510

      SHA1

      38ccd92de1bd43dca7f9e00786611600c5242e31

      SHA256

      7da3ff38ab1aeb1b9776e511dd85766001491ecbe742eecea867abe2643c75f4

      SHA512

      15f51a2e37c416068d226cbdedbaa3fe92094d7332e2050e41b6fc9fd44442efdb906f36f5b7fd062e66933a5e7578912c822993ffe281ef8fb823d5531b9744

      Download Submit
    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • memory/436-69-0x0000000000000000-mapping.dmp
      Download
    • memory/872-84-0x0000000000000000-mapping.dmp
      Download
    • memory/956-83-0x0000000000000000-mapping.dmp
      Download
    • memory/960-85-0x0000000000000000-mapping.dmp
      Download
    • memory/980-86-0x0000000000000000-mapping.dmp
      Download
    • memory/980-90-0x000007FEF3D90000-0x000007FEF47B3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/980-94-0x0000000002784000-0x0000000002787000-memory.dmp
      Filesize

      12KB

      Download
    • memory/980-92-0x0000000002784000-0x0000000002787000-memory.dmp
      Filesize

      12KB

      Download
    • memory/980-95-0x000000000278B000-0x00000000027AA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/980-91-0x000007FEF3230000-0x000007FEF3D8D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1280-71-0x000000000269B000-0x00000000026BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1280-67-0x0000000002694000-0x0000000002697000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1280-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1280-72-0x0000000002694000-0x0000000002697000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1280-73-0x000000000269B000-0x00000000026BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1280-65-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1280-66-0x000007FEF2890000-0x000007FEF33ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1380-80-0x0000000000000000-mapping.dmp
      Download
    • memory/1656-77-0x000007FEF3D90000-0x000007FEF47B3000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1656-82-0x00000000026FB000-0x000000000271A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1656-81-0x00000000026F4000-0x00000000026F7000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1656-96-0x00000000026FB000-0x000000000271A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1656-78-0x000007FEF3230000-0x000007FEF3D8D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1736-74-0x000000000252B000-0x000000000254A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1736-57-0x0000000002524000-0x0000000002527000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1736-56-0x000007FEF2890000-0x000007FEF33ED000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1736-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1736-58-0x000000001B7B0000-0x000000001BAAF000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1736-55-0x000007FEF33F0000-0x000007FEF3E13000-memory.dmp
      Filesize

      10.1MB

      Download
    • memory/1736-59-0x000000000252B000-0x000000000254A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1736-60-0x0000000002524000-0x0000000002527000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1736-61-0x000000000252B000-0x000000000254A000-memory.dmp
      Filesize

      124KB

      Download