8ad689340639d6fd053783579d537e95f3e9582dac11ccdd14efefcf2e75ff6e

Analysis

max time kernel
55s
max time network
58s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
27-10-2022 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b.ps1
Size

210KB
MD5

a7a03768cf25eff7aa62e421a82ada32
SHA1

ed39471f65e96ec6efd6787814c3f941e4d303c8
SHA256

0363345ea2a222ee5b38a7ae16aba7599cfa303454ca4ed1d05481960237d7b2
SHA512

da612654f3f7b23f3fa45b42f72ce4dca12930dbbb243896e065a104698d1210b172857f2c3d72d32f6ccb9a4b2a15bb9709695550c2180543f7285ca7a445ee
SSDEEP

3072:2JKn5li2h/XY9E1eEOv3nzD3m3ApeNwLqU/QIL:2E5lin2GXzD3m3Ape6qU/QIL

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3512	powershell.exe
3512	powershell.exe
3512	powershell.exe
4348	powershell.exe
4348	powershell.exe
4348	powershell.exe
4792	chrome.exe
4792	chrome.exe
3968	chrome.exe
3968	chrome.exe
3880	chrome.exe
3880	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe
Token: SeBackupPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeSystemEnvironmentPrivilege	4348	powershell.exe
Token: SeRemoteShutdownPrivilege	4348	powershell.exe
Token: SeUndockPrivilege	4348	powershell.exe
Token: SeManageVolumePrivilege	4348	powershell.exe
Token: 33	4348	powershell.exe
Token: 34	4348	powershell.exe
Token: 35	4348	powershell.exe
Token: 36	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe
Token: SeBackupPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeSystemEnvironmentPrivilege	4348	powershell.exe
Token: SeRemoteShutdownPrivilege	4348	powershell.exe
Token: SeUndockPrivilege	4348	powershell.exe
Token: SeManageVolumePrivilege	4348	powershell.exe
Token: 33	4348	powershell.exe
Token: 34	4348	powershell.exe
Token: 35	4348	powershell.exe
Token: 36	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	4348	powershell.exe
Token: SeSecurityPrivilege	4348	powershell.exe
Token: SeTakeOwnershipPrivilege	4348	powershell.exe
Token: SeLoadDriverPrivilege	4348	powershell.exe
Token: SeSystemProfilePrivilege	4348	powershell.exe
Token: SeSystemtimePrivilege	4348	powershell.exe
Token: SeProfSingleProcessPrivilege	4348	powershell.exe
Token: SeIncBasePriorityPrivilege	4348	powershell.exe
Token: SeCreatePagefilePrivilege	4348	powershell.exe
Token: SeBackupPrivilege	4348	powershell.exe
Token: SeRestorePrivilege	4348	powershell.exe
Token: SeShutdownPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeSystemEnvironmentPrivilege	4348	powershell.exe
Token: SeRemoteShutdownPrivilege	4348	powershell.exe
Token: SeUndockPrivilege	4348	powershell.exe
Token: SeManageVolumePrivilege	4348	powershell.exe
Token: 33	4348	powershell.exe
Token: 34	4348	powershell.exe
Token: 35	4348	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 1948	3512	powershell.exe	67
PID 3512 wrote to memory of 1948	3512	powershell.exe	67
PID 1948 wrote to memory of 4348	1948	cmd.exe	69
PID 1948 wrote to memory of 4348	1948	cmd.exe	69
PID 3968 wrote to memory of 4916	3968	chrome.exe	76
PID 3968 wrote to memory of 4916	3968	chrome.exe	76
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4688	3968	chrome.exe	78
PID 3968 wrote to memory of 4792	3968	chrome.exe	77
PID 3968 wrote to memory of 4792	3968	chrome.exe	77
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79
PID 3968 wrote to memory of 1156	3968	chrome.exe	79

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\installer\xx.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\installer\xx.PS1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fffb8d44f50,0x7fffb8d44f60,0x7fffb8d44f70
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,7391221816039529111,470232166683620649,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\installer\xx.PS1

Filesize
652B

MD5
1c290d2f588f04316c21fc976b3faf21

SHA1
4ea7acf4f292de5434eb37186d97d02050c2b780

SHA256
6fbbd90514abd87ab26a7d0c1742ec70d41ee53ddbd1c0cf857eedd40e089aee

SHA512
b169a2134986cb234d633b02f5e7f3de8a66881104782f4ce30c71b1e6454e41af254cd6f230e264ad325172801fb68db09fc5189199d6d845c91722bb564911

Download Submit
C:\ProgramData\installer\xx.bat

Filesize
86B

MD5
2a409650db33b9a05f0efe5348ef308c

SHA1
dbfb8eff90eea813b2941f6d9c9bcedc2febb135

SHA256
5505654f9c49dc116200734325ec1704c1d1003c9685cb22cb726cc0d22f4135

SHA512
a707d8ce1e5288faf37d3fc187c58b7b4ae8ce9a89c448b89996a8d3e6f471bcd0475e3d3495576ae6867cc05403bd73580403ee373ccb47b24453f18483d173

Download Submit
memory/1948-141-0x0000000000000000-mapping.dmp

Download
memory/3512-119-0x000001C455790000-0x000001C4557B2000-memory.dmp

Filesize
136KB

Download
memory/3512-122-0x000001C455A80000-0x000001C455AF6000-memory.dmp

Filesize
472KB

Download
memory/4348-143-0x0000000000000000-mapping.dmp

Download