c3baa70d8ccba80b140591a63c3d0ffa8654611a3eeee20e04c0cb97c0bb229e

Resubmissions

02/01/2023, 06:41

230102-hf4ebadf34 7

02/01/2023, 06:33

230102-ha681sdf27 1

Analysis

max time kernel
249s
max time network
235s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2023, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

209B
MD5

10a482cff8e8d35765657f3e891ba8ec
SHA1

72052d4dbe93c50dfa7d3f28e041f62670e60f51
SHA256

c3baa70d8ccba80b140591a63c3d0ffa8654611a3eeee20e04c0cb97c0bb229e
SHA512

ca8934c2df998758ff36af8c22085142e97c5abcb016e0324f2ea7e41e63a8b65907090edf2c60142befea1ecda1ea43db7b2e5cbcb58baa206a90877aded4a6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3324	powershell.exe
3324	powershell.exe
1796	powershell.exe
1796	powershell.exe
1616	powershell.exe
1616	powershell.exe
3660	powershell.exe
3660	powershell.exe
4384	powershell.exe
4384	powershell.exe
452	powershell.exe
452	powershell.exe
2476	powershell.exe
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4808	3228	cmd.exe	98
PID 3228 wrote to memory of 4808	3228	cmd.exe	98
PID 3228 wrote to memory of 672	3228	cmd.exe	99
PID 3228 wrote to memory of 672	3228	cmd.exe	99
PID 1796 wrote to memory of 2692	1796	powershell.exe	103
PID 1796 wrote to memory of 2692	1796	powershell.exe	103
PID 1796 wrote to memory of 4156	1796	powershell.exe	104
PID 1796 wrote to memory of 4156	1796	powershell.exe	104
PID 1796 wrote to memory of 4328	1796	powershell.exe	105
PID 1796 wrote to memory of 4328	1796	powershell.exe	105
PID 1796 wrote to memory of 4744	1796	powershell.exe	106
PID 1796 wrote to memory of 4744	1796	powershell.exe	106
PID 4744 wrote to memory of 1616	4744	wscript.exe	107
PID 4744 wrote to memory of 1616	4744	wscript.exe	107
PID 1616 wrote to memory of 3272	1616	powershell.exe	109
PID 1616 wrote to memory of 3272	1616	powershell.exe	109
PID 1796 wrote to memory of 1988	1796	powershell.exe	110
PID 1796 wrote to memory of 1988	1796	powershell.exe	110
PID 1988 wrote to memory of 3660	1988	wscript.exe	111
PID 1988 wrote to memory of 3660	1988	wscript.exe	111
PID 3660 wrote to memory of 412	3660	powershell.exe	113
PID 3660 wrote to memory of 412	3660	powershell.exe	113
PID 1796 wrote to memory of 4724	1796	powershell.exe	114
PID 1796 wrote to memory of 4724	1796	powershell.exe	114
PID 4724 wrote to memory of 4384	4724	wscript.exe	115
PID 4724 wrote to memory of 4384	4724	wscript.exe	115
PID 4384 wrote to memory of 3432	4384	powershell.exe	117
PID 4384 wrote to memory of 3432	4384	powershell.exe	117
PID 1796 wrote to memory of 3640	1796	powershell.exe	118
PID 1796 wrote to memory of 3640	1796	powershell.exe	118
PID 3640 wrote to memory of 452	3640	wscript.exe	119
PID 3640 wrote to memory of 452	3640	wscript.exe	119
PID 452 wrote to memory of 5080	452	powershell.exe	121
PID 452 wrote to memory of 5080	452	powershell.exe	121
PID 1796 wrote to memory of 808	1796	powershell.exe	122
PID 1796 wrote to memory of 808	1796	powershell.exe	122
PID 808 wrote to memory of 2476	808	wscript.exe	123
PID 808 wrote to memory of 2476	808	wscript.exe	123
PID 2476 wrote to memory of 4836	2476	powershell.exe	125
PID 2476 wrote to memory of 4836	2476	powershell.exe	125

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\wscript.exe
  wscript.exe "%system32%\SyncAppvPublishingServer.vbs" "n;cmd.exe curl https://google.com"
  2⤵
  PID:4808
- C:\Windows\system32\wscript.exe
  wscript.exe "%system32%\SyncAppvPublishingServer.vbs" "n;cmd.exe curl -I https://google.com"
  2⤵
  PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" %system32%\SyncAppvPublishingServer.vbs "n;cmd.exe curl -I https://google.com"
  2⤵
  PID:2692
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" %system32%\SyncAppvPublishingServer.vbs "n;cmd.exe curl -I https://google.com"
  2⤵
  PID:4156
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" %system32%\SyncAppvPublishingServer.vbs "n;cmd.exe curl -I https://google.com"
  2⤵
  PID:4328
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\\windows\system32\SyncAppvPublishingServer.vbs "n;cmd.exe curl -I https://google.com"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;cmd.exe curl -I https://google.com}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" curl -I https://google.com
      4⤵
      PID:3272
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\\windows\system32\SyncAppvPublishingServer.vbs "n;cmd.exe curl -I https://google.com"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;cmd.exe curl -I https://google.com}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" curl -I https://google.com
      4⤵
      PID:412
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\\windows\system32\SyncAppvPublishingServer.vbs "n;cmd.exe curl -I https://google.com"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;cmd.exe curl -I https://google.com}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" curl -I https://google.com
      4⤵
      PID:3432
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\\windows\system32\SyncAppvPublishingServer.vbs "n;cmd.exe curl -I https://google.com"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;cmd.exe curl -I https://google.com}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" curl -I https://google.com
      4⤵
      PID:5080
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\\windows\system32\SyncAppvPublishingServer.vbs "n;cmd.exe ping -t localhost"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;cmd.exe ping -t localhost}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" ping -t localhost
      4⤵
      PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
memory/452-169-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/452-172-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/452-167-0x00007FF828C50000-0x00007FF828D05000-memory.dmp

Filesize
724KB

Download
memory/1616-150-0x00007FF828C50000-0x00007FF828D05000-memory.dmp

Filesize
724KB

Download
memory/1616-152-0x0000016DFE0B0000-0x0000016DFE0DE000-memory.dmp

Filesize
184KB

Download
memory/1616-158-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/1616-151-0x0000016DFDF90000-0x0000016DFDFAC000-memory.dmp

Filesize
112KB

Download
memory/1616-148-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/1796-142-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/1796-138-0x0000025BFFD20000-0x0000025BFFD64000-memory.dmp

Filesize
272KB

Download
memory/1796-139-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/1796-178-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/1796-140-0x0000025BFFE20000-0x0000025BFFE96000-memory.dmp

Filesize
472KB

Download
memory/2476-179-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/2476-175-0x00007FF828C50000-0x00007FF828D05000-memory.dmp

Filesize
724KB

Download
memory/2476-177-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/3324-132-0x00000279F9860000-0x00000279F9882000-memory.dmp

Filesize
136KB

Download
memory/3324-134-0x00007FF812820000-0x00007FF8132E1000-memory.dmp

Filesize
10.8MB

Download
memory/3324-133-0x00007FF812820000-0x00007FF8132E1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-157-0x00007FF828C50000-0x00007FF828D05000-memory.dmp

Filesize
724KB

Download
memory/3660-156-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/3660-170-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/4384-171-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/4384-164-0x00007FF8106B0000-0x00007FF811171000-memory.dmp

Filesize
10.8MB

Download
memory/4384-162-0x00007FF828C50000-0x00007FF828D05000-memory.dmp

Filesize
724KB

Download