Malware Analysis Report

2025-05-28 17:35

Sample ID 230109-gawxlsdb35
Target 31b56e2f-5992-4669-adf3-2b4fd3a2fdf1.zip
SHA256 4e4ef37cbbe04766712cd6a9dd1985f718f7dd82fecf00ade30a018ad2146c7a
Tags
qakbot obama224 1669794048 banker stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e4ef37cbbe04766712cd6a9dd1985f718f7dd82fecf00ade30a018ad2146c7a

Threat Level: Known bad

The file 31b56e2f-5992-4669-adf3-2b4fd3a2fdf1.zip was found to be: Known bad.

Malicious Activity Summary

qakbot obama224 1669794048 banker stealer trojan

Qakbot/Qbot

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-09 05:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-09 05:36

Reported

2023-01-09 05:40

Platform

win7-20221111-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WP.vbs"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 620 N/A C:\Windows\System32\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 792 wrote to memory of 620 N/A C:\Windows\System32\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 792 wrote to memory of 620 N/A C:\Windows\System32\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 792 wrote to memory of 620 N/A C:\Windows\System32\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 620 wrote to memory of 560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 620 wrote to memory of 560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 620 wrote to memory of 560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 620 wrote to memory of 560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 620 wrote to memory of 560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 620 wrote to memory of 560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 620 wrote to memory of 560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\rundll32.exe
PID 560 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 560 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 560 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 560 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 560 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe
PID 560 wrote to memory of 864 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wermgr.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WP.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\possessively.ps1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\users\public\mercifulHaddock.txt DrawThemeIcon

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

N/A

Files

memory/792-54-0x000007FEFC131000-0x000007FEFC133000-memory.dmp

memory/620-55-0x0000000000000000-mapping.dmp

memory/620-56-0x00000000763D1000-0x00000000763D3000-memory.dmp

memory/620-57-0x0000000074190000-0x000000007473B000-memory.dmp

memory/620-58-0x0000000074190000-0x000000007473B000-memory.dmp

memory/560-59-0x0000000000000000-mapping.dmp

memory/620-62-0x0000000074190000-0x000000007473B000-memory.dmp

C:\users\public\mercifulHaddock.txt

MD5 76593549a3162a83902138109f2de318
SHA1 be119fe481e00dbf35429e001015907f511bae3d
SHA256 24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7
SHA512 b4964c156bb802a7e1ced49c3ac61cde62c9fa78659fd53772a665f4f5c56131e01427635c016241c08798eb68aa86d3ece354e9e05a0df8a55462de263f8ac9

\Users\Public\mercifulHaddock.txt

MD5 76593549a3162a83902138109f2de318
SHA1 be119fe481e00dbf35429e001015907f511bae3d
SHA256 24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7
SHA512 b4964c156bb802a7e1ced49c3ac61cde62c9fa78659fd53772a665f4f5c56131e01427635c016241c08798eb68aa86d3ece354e9e05a0df8a55462de263f8ac9

memory/560-65-0x0000000000680000-0x00000000006AA000-memory.dmp

memory/560-64-0x0000000000680000-0x00000000006AA000-memory.dmp

memory/560-66-0x0000000000650000-0x000000000067D000-memory.dmp

memory/560-67-0x0000000000680000-0x00000000006AA000-memory.dmp

memory/864-68-0x0000000000000000-mapping.dmp

memory/560-70-0x0000000000680000-0x00000000006AA000-memory.dmp

memory/864-71-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/864-72-0x0000000000080000-0x00000000000AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-09 05:36

Reported

2023-01-09 05:40

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WP.vbs"

Signatures

Qakbot/Qbot

trojan banker stealer qakbot

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A
N/A N/A C:\Windows\SysWOW64\wermgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WP.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\possessively.ps1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\users\public\mercifulHaddock.txt DrawThemeIcon

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\wermgr.exe

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 20.52.64.200:443 tcp

Files

memory/4468-132-0x0000000000000000-mapping.dmp

memory/4468-133-0x00000000029C0000-0x00000000029F6000-memory.dmp

memory/4468-134-0x0000000005610000-0x0000000005C38000-memory.dmp

memory/4468-135-0x0000000005410000-0x0000000005432000-memory.dmp

memory/4468-136-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/4468-137-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/4468-138-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/4468-139-0x0000000007570000-0x0000000007606000-memory.dmp

memory/4468-140-0x0000000006800000-0x000000000681A000-memory.dmp

memory/4468-141-0x00000000068A0000-0x00000000068C2000-memory.dmp

memory/4468-142-0x0000000007BC0000-0x0000000008164000-memory.dmp

memory/5088-143-0x0000000000000000-mapping.dmp

C:\users\public\mercifulHaddock.txt

MD5 76593549a3162a83902138109f2de318
SHA1 be119fe481e00dbf35429e001015907f511bae3d
SHA256 24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7
SHA512 b4964c156bb802a7e1ced49c3ac61cde62c9fa78659fd53772a665f4f5c56131e01427635c016241c08798eb68aa86d3ece354e9e05a0df8a55462de263f8ac9

C:\Users\Public\mercifulHaddock.txt

MD5 76593549a3162a83902138109f2de318
SHA1 be119fe481e00dbf35429e001015907f511bae3d
SHA256 24d7bb336cff00af352ee187d6c215dc037ac3f39ef1936deca18bb3ac472eb7
SHA512 b4964c156bb802a7e1ced49c3ac61cde62c9fa78659fd53772a665f4f5c56131e01427635c016241c08798eb68aa86d3ece354e9e05a0df8a55462de263f8ac9

memory/5088-146-0x0000000000D20000-0x0000000000D4D000-memory.dmp

memory/5088-147-0x0000000000D50000-0x0000000000D7A000-memory.dmp

memory/2360-148-0x0000000000000000-mapping.dmp

memory/5088-149-0x0000000000D50000-0x0000000000D7A000-memory.dmp

memory/2360-150-0x0000000000160000-0x000000000018A000-memory.dmp

memory/2360-151-0x0000000000160000-0x000000000018A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-09 05:36

Reported

2023-01-09 05:40

Platform

win7-20220901-en

Max time kernel

43s

Max time network

47s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\metaphysic\possessively.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\metaphysic\possessively.ps1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\users\public\mercifulHaddock.txt DrawThemeIcon

Network

N/A

Files

memory/1752-54-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

memory/1752-55-0x000007FEF31B0000-0x000007FEF3BD3000-memory.dmp

memory/1752-56-0x000007FEF2650000-0x000007FEF31AD000-memory.dmp

memory/1752-57-0x000000001B830000-0x000000001BB2F000-memory.dmp

memory/1752-58-0x0000000002484000-0x0000000002487000-memory.dmp

memory/1752-59-0x000000000248B000-0x00000000024AA000-memory.dmp

memory/1716-60-0x0000000000000000-mapping.dmp

memory/1752-61-0x0000000002484000-0x0000000002487000-memory.dmp

memory/1752-62-0x000000000248B000-0x00000000024AA000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-01-09 05:36

Reported

2023-01-09 05:40

Platform

win10v2004-20220812-en

Max time kernel

90s

Max time network

153s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\metaphysic\possessively.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 4564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe
PID 1564 wrote to memory of 4564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\metaphysic\possessively.ps1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\users\public\mercifulHaddock.txt DrawThemeIcon

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 13.69.239.73:443 tcp

Files

memory/1564-132-0x0000018B657C0000-0x0000018B657E2000-memory.dmp

memory/1564-133-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

memory/4564-134-0x0000000000000000-mapping.dmp

memory/1564-135-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-01-09 05:36

Reported

2023-01-09 05:40

Platform

win7-20221111-en

Max time kernel

31s

Max time network

33s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\metaphysic\privates.vbs"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\metaphysic\privates.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\possessively.ps1

Network

N/A

Files

memory/1192-54-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

memory/852-55-0x0000000000000000-mapping.dmp

memory/852-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

memory/852-57-0x00000000743F0000-0x000000007499B000-memory.dmp

memory/852-58-0x00000000743F0000-0x000000007499B000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-01-09 05:36

Reported

2023-01-09 05:40

Platform

win10v2004-20220812-en

Max time kernel

83s

Max time network

141s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\metaphysic\privates.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\metaphysic\privates.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\possessively.ps1

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 20.42.65.89:443 tcp
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp

Files

memory/420-132-0x0000000000000000-mapping.dmp

memory/420-133-0x0000000002CD0000-0x0000000002D06000-memory.dmp

memory/420-134-0x0000000005830000-0x0000000005E58000-memory.dmp

memory/420-135-0x0000000005700000-0x0000000005722000-memory.dmp

memory/420-136-0x00000000057A0000-0x0000000005806000-memory.dmp

memory/420-137-0x0000000005ED0000-0x0000000005F36000-memory.dmp

memory/420-138-0x00000000065D0000-0x00000000065EE000-memory.dmp