112f2f582654691ec17bd5dade694cca5d2447c53c9d6b3a668611907ceb1d52

Analysis

max time kernel
106s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-12-2022 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

import.ps1
Size

7.7MB
MD5

aeeb7afa26cff3fff16e54c677056b73
SHA1

28b0befdbfa2a3fc66b328756c7c6ac636336ec2
SHA256

112f2f582654691ec17bd5dade694cca5d2447c53c9d6b3a668611907ceb1d52
SHA512

8d51343705aa0bf078159acf5161356a7ea25fc5b134f86220de46728a4bb089c1667267480dbc314a121cb0180007cd6e9c451966f28d381347fffa74ae762d
SSDEEP

24576:cfn0m/OPb9o/Ha4KZZQLFq487s/0H+VXQ5qDrtj6Bnoi4LD2/Qy4IyQr+KJn04vE:w

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2020 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

984 taskkill.exe

pid	process
2020	schtasks.exe

pid	process
984	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1900 powershell.exe
1900 powershell.exe
1156 powershell.exe
552 powershell.exe
960 powershell.exe

pid	process
1900	powershell.exe
1900	powershell.exe
1156	powershell.exe
552	powershell.exe
960	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	960	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

powershell.exeWScript.execmd.exepowershell.exemshta.execmd.exeWScript.execmd.exemshta.exetaskeng.exeWScript.exe

description	pid	process	target process
PID 1900 wrote to memory of 296	1900	powershell.exe	WScript.exe
PID 1900 wrote to memory of 296	1900	powershell.exe	WScript.exe
PID 1900 wrote to memory of 296	1900	powershell.exe	WScript.exe
PID 1900 wrote to memory of 2020	1900	powershell.exe	schtasks.exe
PID 1900 wrote to memory of 2020	1900	powershell.exe	schtasks.exe
PID 1900 wrote to memory of 2020	1900	powershell.exe	schtasks.exe
PID 296 wrote to memory of 1700	296	WScript.exe	cmd.exe
PID 296 wrote to memory of 1700	296	WScript.exe	cmd.exe
PID 296 wrote to memory of 1700	296	WScript.exe	cmd.exe
PID 1700 wrote to memory of 1156	1700	cmd.exe	powershell.exe
PID 1700 wrote to memory of 1156	1700	cmd.exe	powershell.exe
PID 1700 wrote to memory of 1156	1700	cmd.exe	powershell.exe
PID 1156 wrote to memory of 764	1156	powershell.exe	cmstp.exe
PID 1156 wrote to memory of 764	1156	powershell.exe	cmstp.exe
PID 1156 wrote to memory of 764	1156	powershell.exe	cmstp.exe
PID 1324 wrote to memory of 1536	1324	mshta.exe	cmd.exe
PID 1324 wrote to memory of 1536	1324	mshta.exe	cmd.exe
PID 1324 wrote to memory of 1536	1324	mshta.exe	cmd.exe
PID 1536 wrote to memory of 1408	1536	cmd.exe	WScript.exe
PID 1536 wrote to memory of 1408	1536	cmd.exe	WScript.exe
PID 1536 wrote to memory of 1408	1536	cmd.exe	WScript.exe
PID 1408 wrote to memory of 1568	1408	WScript.exe	cmd.exe
PID 1408 wrote to memory of 1568	1408	WScript.exe	cmd.exe
PID 1408 wrote to memory of 1568	1408	WScript.exe	cmd.exe
PID 1568 wrote to memory of 552	1568	cmd.exe	powershell.exe
PID 1568 wrote to memory of 552	1568	cmd.exe	powershell.exe
PID 1568 wrote to memory of 552	1568	cmd.exe	powershell.exe
PID 568 wrote to memory of 984	568	mshta.exe	taskkill.exe
PID 568 wrote to memory of 984	568	mshta.exe	taskkill.exe
PID 568 wrote to memory of 984	568	mshta.exe	taskkill.exe
PID 1756 wrote to memory of 1508	1756	taskeng.exe	WScript.exe
PID 1756 wrote to memory of 1508	1756	taskeng.exe	WScript.exe
PID 1756 wrote to memory of 1508	1756	taskeng.exe	WScript.exe
PID 1508 wrote to memory of 960	1508	WScript.exe	powershell.exe
PID 1508 wrote to memory of 960	1508	WScript.exe	powershell.exe
PID 1508 wrote to memory of 960	1508	WScript.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\import.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\a.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\Favorites\a.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\b.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\cmstp.exe
"C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\cl0f23jw.inf
5⤵
PID:764

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn administartor /sc minute /st 00:10 /tr C:\Users\Admin\Favorites\System.vbs
2⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd.exe /c start """""""" """"%USERPROFILE%\Favorites\Assembly.vbs"""""",0:close")
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\Favorites\Assembly.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\Assembly.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\Favorites\x.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\x.ps1
5⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM cmstp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\taskeng.exe
taskeng.exe {5C9212AD-AD50-45C7-8E41-5FAC1D1207A8} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a19480e430d9410f458cc19dd033c637

SHA1
13cb482a36e5c04f87882638f50444fa78ec3271

SHA256
17f92e7b9f4765d3bf3d38b8523bf9b35f497d8d86a7c2f5b6741d02b64f3d72

SHA512
66f80d42b3d7ec054c28d2162541fff14bcd3787f32c31b0bd5b486a719d084f344ca22792aa0b5891fd4701257d25eeb1836ce9ee6e6d4448d29331407d5556

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a19480e430d9410f458cc19dd033c637

SHA1
13cb482a36e5c04f87882638f50444fa78ec3271

SHA256
17f92e7b9f4765d3bf3d38b8523bf9b35f497d8d86a7c2f5b6741d02b64f3d72

SHA512
66f80d42b3d7ec054c28d2162541fff14bcd3787f32c31b0bd5b486a719d084f344ca22792aa0b5891fd4701257d25eeb1836ce9ee6e6d4448d29331407d5556

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a19480e430d9410f458cc19dd033c637

SHA1
13cb482a36e5c04f87882638f50444fa78ec3271

SHA256
17f92e7b9f4765d3bf3d38b8523bf9b35f497d8d86a7c2f5b6741d02b64f3d72

SHA512
66f80d42b3d7ec054c28d2162541fff14bcd3787f32c31b0bd5b486a719d084f344ca22792aa0b5891fd4701257d25eeb1836ce9ee6e6d4448d29331407d5556

Download Submit
C:\Users\Admin\Favorites\Assembly.vbs

Filesize
331B

MD5
66d268811c166c82aaef2f52450b0c73

SHA1
f7810c1003732c440b986718a8217dd733e88f74

SHA256
581df8170200c95d38ce78eba4e9942d47cad443bbc0148954e48df04eec3b34

SHA512
36de3a5f59ee7a531832ae7e43997a3019ad8a15b0d1b321e589a85d77af27dab80b90a0ef5c978c4fffcc4d32fe8d870f60e9cf3e5bff302e4292bfc6196830

Download Submit
C:\Users\Admin\Favorites\System.vbs

Filesize
121B

MD5
dada8407cf4051919362d16a6d735cde

SHA1
8a2788926f97dbd59c99ad51b3383c59992c6c2e

SHA256
ee512a4266049b505b2b5c6c4c7bd66baadd37eda61bfe7f31f6cfcc1c955a77

SHA512
42c6b1fac8502e3b21cbd6cda11601afc55ca539db03667eec7c839bc33c70ed1a6aeba5a3c9684951143658b17183c2782bec8a0108b345c0ac2aebdaa8fc9f

Download Submit
C:\Users\Admin\Favorites\UAC-B.dll

Filesize
11KB

MD5
cc6ba6fc273dbfbb5c9698c0cf4719b9

SHA1
a2b3433b728b0874ec69d8a629d5f0dd05c0946d

SHA256
320316cdda2aa0e8709472a2b8eb8debcd0f8bb6f9af4d4d4b3bc67068ceebe7

SHA512
fe2fe2f150fbf619dd7616c86c93a42446b7c915b92fb865971dcf7dd595c6483da7386ce40b99802dc0942068bd1703821e0e3b15a6ebe557619cf6fa413c61

Download Submit
C:\Users\Admin\Favorites\a.bat

Filesize
86B

MD5
4625a049cd6ea721b706699ab3c36dff

SHA1
dbb82c9e8cb7bdcf617e7c4e158d031275b5ec24

SHA256
c751a3cb67ab1c75f1de6e24b7193123cc815524c538973110d1f6027da24dc0

SHA512
35674c3c1d6c449b3716ddf2ca8733e255a8f642723186a847694fb936b50a91e6bd7ab7f6edf1489592a583109739a4f0c12769823e2fc163860eeb7004b6c0

Download Submit
C:\Users\Admin\Favorites\a.vbs

Filesize
485B

MD5
5ce49e20c572f2b6d4b43fc61a6906ec

SHA1
170185b8ab9fc4749f28e5796999c23b50be89dc

SHA256
d6a43aad0aa8e510f01409921c8b0b5c8d93d51d1f7f39340db775c164686412

SHA512
c49e14c094e4d5e108aa50889a9fb06428a3d7a1f74d868c9b7d37f35658a64ea205b00681ad83aef428113fdf6fead8ef98dd1e6b38d84b8306765025c2e8e3

Download Submit
C:\Users\Admin\Favorites\b.ps1

Filesize
173B

MD5
e1d9cbc41ffacef02695df17824a82e0

SHA1
970ae087b8a3d11fb3e2a9b8de1592a166436fa7

SHA256
61571d1fd0000c02eef19b7dd6e452e2f9eba2e947f4c96d781e79d35802043f

SHA512
3b4034b2072a309adeb1af8b540023791262915f4b1347f4aa27f8aedcbbb6e1126c1a4d5f1db1ce2ad5638d24d7ba3025a8451c291241db2f2a99b0832f620a

Download Submit
C:\Users\Admin\Favorites\micro.ps1

Filesize
889KB

MD5
6aebe5e40338074dcdf1a2fdf5ec052c

SHA1
0affad0eab774562a022100f11c367e83b72c4b2

SHA256
03b5c1eab769693201ca761bd2050ddd7bad82925fa19015701560aa05e5c296

SHA512
7f7ac71e80557184ea78f75d1f436a9f4808e4f0bf555fe6fd4a924b1f982931c0c8a7345df6df717fe99b60534e948e5994acdeab172c5a778ecdf99eda4774

Download Submit
C:\Users\Admin\Favorites\x.bat

Filesize
86B

MD5
03fc58bceab448c9f183fbe86fed1f11

SHA1
07f3d54b0b40755e8f58f5fdab95049def6578e3

SHA256
6062f0e764ccd855b61ba49720065dfd6f6c6864c4eb1e9dce95ba8a293fd756

SHA512
c0e9aec7a6c5aaae3b018d44f1fbdc1939026ce16fad20211a0521e3db9e470d842508b7d2167672e1585bafeb4b2f1fe694ca96ddb9137ff9e5d3b4ca53ea4f

Download Submit
C:\Users\Admin\Favorites\x.ps1

Filesize
567B

MD5
e9859d3134c68db3134a6ca7df484344

SHA1
f4eec5ee9aa11a82d19bdb78a174c574669fd1d8

SHA256
a4aaf6c64969788732b20c79c1299719b84a52eddda13778a672195bbfba4a6c

SHA512
47982ddf074418c350790f5f7d53edddbbb47e7768939ebf88f4812b01f241c8bff509dbd9a8e6232eb6ec7f8b0344a1a59474ea45da0c80af9f04ba21498cdb

Download Submit
C:\Windows\temp\cl0f23jw.inf

Filesize
834B

MD5
09c0056318d62ee84963c66ae83d6c1b

SHA1
625936963d4a0059daff7222a1628198be9b7a4f

SHA256
25b2a55bade39fe6d90e0fb06068062a95af522f62d743454ffa4ddd478781d8

SHA512
b03301fcafbc905ac7724b5ee878208c4c7dc039b02edcfc00e51742c868ab4cf3f830dbbe52b314ee24f8d87f39b6c9eb3e6c188ddc75a9b52f7dfab85cb2d0

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/296-61-0x0000000000000000-mapping.dmp

Download
memory/552-114-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/552-115-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/552-111-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/552-110-0x000007FEEE290000-0x000007FEEEDED000-memory.dmp

Filesize
11.4MB

Download
memory/552-109-0x000007FEEF2F0000-0x000007FEEFD13000-memory.dmp

Filesize
10.1MB

Download
memory/552-106-0x0000000000000000-mapping.dmp

Download
memory/764-78-0x0000000000000000-mapping.dmp

Download
memory/960-120-0x0000000000000000-mapping.dmp

Download
memory/960-124-0x000007FEF29B0000-0x000007FEF350D000-memory.dmp

Filesize
11.4MB

Download
memory/960-125-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/960-127-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/960-128-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/960-129-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/984-113-0x0000000000000000-mapping.dmp

Download
memory/1156-77-0x0000000001ED0000-0x0000000001F50000-memory.dmp

Filesize
512KB

Download
memory/1156-73-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/1156-72-0x0000000001ED0000-0x0000000001F50000-memory.dmp

Filesize
512KB

Download
memory/1156-71-0x000007FEF2E60000-0x000007FEF39BD000-memory.dmp

Filesize
11.4MB

Download
memory/1156-70-0x000007FEF39C0000-0x000007FEF43E3000-memory.dmp

Filesize
10.1MB

Download
memory/1156-67-0x0000000000000000-mapping.dmp

Download
memory/1408-102-0x0000000000000000-mapping.dmp

Download
memory/1508-117-0x0000000000000000-mapping.dmp

Download
memory/1536-83-0x0000000000000000-mapping.dmp

Download
memory/1568-105-0x0000000000000000-mapping.dmp

Download
memory/1700-66-0x0000000000000000-mapping.dmp

Download
memory/1900-74-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1900-54-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1900-60-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1900-59-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1900-58-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/1900-57-0x000007FEF2E60000-0x000007FEF39BD000-memory.dmp

Filesize
11.4MB

Download
memory/1900-56-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/1900-55-0x000007FEF39C0000-0x000007FEF43E3000-memory.dmp

Filesize
10.1MB

Download
memory/2020-62-0x0000000000000000-mapping.dmp

Download