Overview

overview

10

Static

static

aggah.ps1

windows10-1703-x64

10

aggah.ps1

windows7-x64

1

Analysis

  • max time kernel
    517s
  • max time network
    444s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-12-2022 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aggah.ps1

  • Size

    1.1MB

  • MD5

    8763a2445fde1b8c315ac06e4123207a

  • SHA1

    84e8a98f70acce9988adf826ca0c52aaf66b21c2

  • SHA256

    fa8f6002a8d571256dc88960a69ab44c7cbf65227c45e5b4750007d5749bbd44

  • SHA512

    57b8fa11f322fd4f39608fa511b21c4560c9812743dfe57f49297995aad57b2945c0d370e12aa343cb84374126eb3bb51a20555db564255963512a19793cde4f

  • SSDEEP

    12288:Cjx24c7RmYLQoSlhO5vLIyEDlzvOLHCKzR6VpPXncijT9L:CeRm6QoSlhOXqrOLHCn4ijTN

Score
10/10
collectionpersistence

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    195.178.120.64
  • Port:
    21
  • Username:
    ashgdlkhfg3
  • Password:
    jfghfjg]45

Signatures

  • Registers COM server for autorun 1 TTPs 5 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 6 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\aggah.ps1
    1⤵
    • Registers COM server for autorun
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4716
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 704
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2320
    • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 708
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -c aggah.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -ep unrestricted
      2⤵
      • Registers COM server for autorun
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2632
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
          PID:2468
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 704
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4456
        • C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 708
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:532

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      b49a31b6e3a6771dbfa29b309842ef4f

      SHA1

      6b837a896a3008be212e7a3e297859b06b1d22af

      SHA256

      066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81

      SHA512

      804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6247f3bc421823f887ec4f40862278be

      SHA1

      994681f82f6b65dbfdb5b3120827373ececeb369

      SHA256

      12869f1e095338dd2b70859964b3eb9f245907a47a0e86f787181ffe70a761a0

      SHA512

      9033b9dd1a152aa8dd7277b64fbf8c73a65d0be7a72cc7c7c55f6218103e0af928d087663e95933a8167e1fb85546177f3270c11f0cd1314105c9a17aa14728a

      Download Submit
    • memory/532-748-0x0000000000000000-mapping.dmp
      Download
    • memory/2292-564-0x0000000000000000-mapping.dmp
      Download
    • memory/2292-585-0x0000021B5FE40000-0x0000021B5FE7C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2320-285-0x0000000000000000-mapping.dmp
      Download
    • memory/2352-286-0x0000000000000000-mapping.dmp
      Download
    • memory/2468-618-0x000000000048220E-mapping.dmp
      Download
    • memory/2632-858-0x0000000005860000-0x0000000005878000-memory.dmp
      Filesize

      96KB

      Download
    • memory/2632-611-0x000000000048220E-mapping.dmp
      Download
    • memory/3700-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4004-948-0x0000000073E00000-0x00000000743B0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4004-629-0x000000000048220E-mapping.dmp
      Download
    • memory/4004-738-0x0000000073E00000-0x00000000743B0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4004-959-0x0000000073E00000-0x00000000743B0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4716-180-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-210-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-158-0x0000000000400000-0x0000000000488000-memory.dmp
      Filesize

      544KB

      Download
    • memory/4716-178-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-159-0x000000000048220E-mapping.dmp
      Download
    • memory/4716-184-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-187-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-160-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-190-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-193-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-163-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-168-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-563-0x0000000006A70000-0x0000000006A7A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4716-200-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-543-0x00000000065E0000-0x0000000006630000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4716-206-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-460-0x0000000005290000-0x00000000052A8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/4716-433-0x00000000052C0000-0x0000000005352000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4716-214-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-217-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-435-0x0000000005220000-0x0000000005286000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4716-170-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-284-0x0000000004FC0000-0x000000000505C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4716-295-0x0000000005580000-0x0000000005A7E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4716-165-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-219-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-276-0x0000000000B00000-0x0000000000B88000-memory.dmp
      Filesize

      544KB

      Download
    • memory/4716-196-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-203-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4716-172-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-175-0x000000000048220E-mapping.dmp
      Download
    • memory/4780-216-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-224-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-222-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-218-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-213-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-181-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-205-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-188-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-202-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-199-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-195-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-198-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-177-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-553-0x0000000073E00000-0x00000000743B0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4780-192-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-540-0x0000000073E00000-0x00000000743B0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4780-186-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-220-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-278-0x0000000073E00000-0x00000000743B0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4780-185-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-208-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-182-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4780-211-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4844-157-0x0000027BB38F0000-0x0000027BB390A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4844-156-0x0000027BB1F90000-0x0000027BB1F9C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4844-127-0x0000027BCBF50000-0x0000027BCBFC6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4844-124-0x0000027BB1FA0000-0x0000027BB1FC2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4860-194-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-179-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-174-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-171-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-223-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-162-0x000000000048220E-mapping.dmp
      Download
    • memory/4860-167-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-221-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-438-0x0000000073E00000-0x00000000743B0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4860-183-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-189-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-204-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-191-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-201-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-212-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-166-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-164-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-197-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-215-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-169-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-176-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-207-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/4860-258-0x0000000073E00000-0x00000000743B0000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4860-209-0x00000000779E0000-0x0000000077B6E000-memory.dmp
      Filesize

      1.6MB

      Download