b1b279e81410d415a097e9cab59aa3a04728adf62095c99d1aee345b124d4b49

General

Target

img.jpg.ps1
Size

771KB
MD5

5ac2d245025afdd32eb83ee07c5eac2c
SHA1

2d7afe2482c8b00f64a3c06f1991e9d31e5e4992
SHA256

b1b279e81410d415a097e9cab59aa3a04728adf62095c99d1aee345b124d4b49
SHA512

f27af8054d6898da00de2b999cb421f26307d46f6b64c041d617b84b7012cec872e7f827f0befe71464e2ee0644d606a20cf231bbab52de9af78b806778f00e3
SSDEEP

3072:DWYU4444d444444444444444g44444444444444444K44444444444444449444a:D1/QImq4sn+kdnuzDT03ApT

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

784 schtasks.exe
968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1212 powershell.exe
1212 powershell.exe
1212 powershell.exe
1304 powershell.exe
972 powershell.exe
2012 powershell.exe

pid	process
784	schtasks.exe
968	schtasks.exe

pid	process
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
1304	powershell.exe
972	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

powershell.exeWScript.exepowershell.exetaskeng.exeWScript.exeWScript.exe

description	pid	process	target process
PID 1212 wrote to memory of 1164	1212	powershell.exe	WScript.exe
PID 1212 wrote to memory of 1164	1212	powershell.exe	WScript.exe
PID 1212 wrote to memory of 1164	1212	powershell.exe	WScript.exe
PID 1164 wrote to memory of 1304	1164	WScript.exe	powershell.exe
PID 1164 wrote to memory of 1304	1164	WScript.exe	powershell.exe
PID 1164 wrote to memory of 1304	1164	WScript.exe	powershell.exe
PID 1304 wrote to memory of 784	1304	powershell.exe	schtasks.exe
PID 1304 wrote to memory of 784	1304	powershell.exe	schtasks.exe
PID 1304 wrote to memory of 784	1304	powershell.exe	schtasks.exe
PID 1304 wrote to memory of 968	1304	powershell.exe	schtasks.exe
PID 1304 wrote to memory of 968	1304	powershell.exe	schtasks.exe
PID 1304 wrote to memory of 968	1304	powershell.exe	schtasks.exe
PID 1632 wrote to memory of 1964	1632	taskeng.exe	WScript.exe
PID 1632 wrote to memory of 1964	1632	taskeng.exe	WScript.exe
PID 1632 wrote to memory of 1964	1632	taskeng.exe	WScript.exe
PID 1964 wrote to memory of 972	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 972	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 972	1964	WScript.exe	powershell.exe
PID 1632 wrote to memory of 936	1632	taskeng.exe	WScript.exe
PID 1632 wrote to memory of 936	1632	taskeng.exe	WScript.exe
PID 1632 wrote to memory of 936	1632	taskeng.exe	WScript.exe
PID 936 wrote to memory of 2012	936	WScript.exe	powershell.exe
PID 936 wrote to memory of 2012	936	WScript.exe	powershell.exe
PID 936 wrote to memory of 2012	936	WScript.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\img.jpg.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Logs\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Logs\install.ps1'))
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn det /sc minute /st 00:10 /tr C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs
4⤵
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 3 /tr C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs
4⤵
- Creates scheduled task(s)
PID:968

C:\Windows\system32\taskeng.exe
taskeng.exe {E4A2EE79-2DE7-4F8A-89CE-BE024D268655} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Logs\Report.ps1'))
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Admin\AppData\Roaming\Logs\Report.ps1'))
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Logs\Loader.vbs
Filesize
1KB

MD5
7a1f08fd27f797b5a5cc2d79f8f6bba7

SHA1
bd63d22c44ed12788a81cbc06b7c2bb91e0c338c

SHA256
922dc773abdfd0812b0e1adcaabf9dea2e5f0264573266cf0b024feb984c632e

SHA512
306649a84b7c57acb67d5baca1f288e9211028a19a2d9a2a331db59026d3c557a225eaaa4b325df9bc1bdf1cef2d823b1eadffaa40b6f1cf1d19ce5bfd77d449

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\Report.ps1
Filesize
766KB

MD5
8d881e40488abde98aa11a3c098e491c

SHA1
379a8ce68bd5834e0df24b0dbcd22576d1cba800

SHA256
aa918a89a7f9b75ced739a879db39a7b3ba1e322f4871fd32f731661847aaf9b

SHA512
54106c664804e49d84a0398d9e0c60e076acf12e0a22646d0543d01684526b29125f9f8aa2120329b5aa4d8faa965bd197f541753c9985255ba8d1c5ff8860af

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\install.ps1
Filesize
237B

MD5
6bdb23dd1842efaa701ced26bb8ae3a5

SHA1
67938eee711bca4d76581ad4ce157d1f197c97f8

SHA256
4e0c891ba520fc17f612e1d65b0549aea0533070237b7bc27ee36613e212429c

SHA512
16b5044b13b3c172f50c0dbfb11544750385c92144e1a2fe7dc3a3d18b361d722c72668eb11fcccecdc7dc4858f22383432515f7c9f3a353b04e52d3c4622c0e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\install.vbs
Filesize
2KB

MD5
e35d96b22a7a748d8a85089ea37b003e

SHA1
6b91c72388ed718c5ea75d1bd31263c8cb466878

SHA256
06b9130d3e031c4729ad96332ed15189d5391b88f81c5bbb0f3a94ac4a05185a

SHA512
f45a67d4dc0338ba62cfd6413f7d02889a186b8893397f32df3c88dec903fd79c849ea38538aefead378db1ea2071a0a3b921d7f9fa35729ea71371c7a3d6809

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2d5589ec81661a518b765282617dc703

SHA1
b663e9a2bba6c40fb42ba37a90fbc37d604a96ee

SHA256
43c6f43834989848fb3e570b22cde873cffa9fe5f72df00c0a272968219e279f

SHA512
bf3147df01a6b4eadca8e41177ac2b4b36d311d567f714b36df232d56e75a8788447a936a5c15eecd3d207061ca6de753784e7b48fe139c1fca1f92515e1e771

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2d5589ec81661a518b765282617dc703

SHA1
b663e9a2bba6c40fb42ba37a90fbc37d604a96ee

SHA256
43c6f43834989848fb3e570b22cde873cffa9fe5f72df00c0a272968219e279f

SHA512
bf3147df01a6b4eadca8e41177ac2b4b36d311d567f714b36df232d56e75a8788447a936a5c15eecd3d207061ca6de753784e7b48fe139c1fca1f92515e1e771

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2d5589ec81661a518b765282617dc703

SHA1
b663e9a2bba6c40fb42ba37a90fbc37d604a96ee

SHA256
43c6f43834989848fb3e570b22cde873cffa9fe5f72df00c0a272968219e279f

SHA512
bf3147df01a6b4eadca8e41177ac2b4b36d311d567f714b36df232d56e75a8788447a936a5c15eecd3d207061ca6de753784e7b48fe139c1fca1f92515e1e771

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/784-73-0x0000000000000000-mapping.dmp

Download
memory/936-92-0x0000000000000000-mapping.dmp

Download
memory/968-74-0x0000000000000000-mapping.dmp

Download
memory/972-85-0x000007FEF31D0000-0x000007FEF3D2D000-memory.dmp

Filesize
11.4MB

Download
memory/972-87-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/972-84-0x000007FEF3DF0000-0x000007FEF4813000-memory.dmp

Filesize
10.1MB

Download
memory/972-90-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/972-86-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/972-80-0x0000000000000000-mapping.dmp

Download
memory/972-91-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/972-89-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1164-60-0x0000000000000000-mapping.dmp

Download
memory/1212-58-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1212-55-0x000007FEF3CF0000-0x000007FEF4713000-memory.dmp

Filesize
10.1MB

Download
memory/1212-57-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1212-59-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/1212-56-0x000007FEF3190000-0x000007FEF3CED000-memory.dmp

Filesize
11.4MB

Download
memory/1212-54-0x000007FEFC071000-0x000007FEFC073000-memory.dmp

Filesize
8KB

Download
memory/1212-62-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/1212-61-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/1304-65-0x0000000000000000-mapping.dmp

Download
memory/1304-75-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/1304-72-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/1304-71-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1304-69-0x000007FEF3B30000-0x000007FEF468D000-memory.dmp

Filesize
11.4MB

Download
memory/1304-68-0x000007FEF4690000-0x000007FEF50B3000-memory.dmp

Filesize
10.1MB

Download
memory/1964-77-0x0000000000000000-mapping.dmp

Download
memory/2012-94-0x0000000000000000-mapping.dmp

Download
memory/2012-97-0x000007FEF3E20000-0x000007FEF4843000-memory.dmp

Filesize
10.1MB

Download
memory/2012-98-0x000007FEF3200000-0x000007FEF3D5D000-memory.dmp

Filesize
11.4MB

Download
memory/2012-99-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2012-101-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/2012-102-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads