d623550382d57e1f3b8a521f00d4f05179da3073ac07d4ccaf4ced2999afc18b

General

Target

moos2.ps1
Size

689KB
MD5

5df47d50e52c1cdb011c12bfe2ed1203
SHA1

587b8357692cf1801a4aed650f5965ed5ee7337c
SHA256

d623550382d57e1f3b8a521f00d4f05179da3073ac07d4ccaf4ced2999afc18b
SHA512

096b87351742ab9598b8db72f889d1e75248a4c00e3bf5d4d0bd1ca048b023b9df5d412c3bb4354325f987830e2b795b623f22b766508ef89ccdbf0dd21729e5
SSDEEP

1536:zJ7guVMqP/wdjeE4+vTrDLq4m/R6p0mZEWF7L9nGuWsMwAZJffqWyaUUhmQv/2sy:a

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

POWERSHELL.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 784 POWERSHELL.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	784	POWERSHELL.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Drops file in System32 directory 2 IoCs

Processes:

POWERSHELL.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWERSHELL.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Modifies registry class 4 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1312 reg.exe
840 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.exepowershell.exe

pid process

1556 powershell.exe
1764 powershell.exe
1708 POWERSHELL.exe
880 powershell.exe

pid	process
1312	reg.exe
840	reg.exe

pid	process
1556	powershell.exe
1764	powershell.exe
1708	POWERSHELL.exe
880	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1708	POWERSHELL.exe
Token: SeDebugPrivilege	880	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

powershell.exepowershell.exePOWERSHELL.execmd.execmd.exe

description	pid	process	target process
PID 1556 wrote to memory of 1764	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 1764	1556	powershell.exe	powershell.exe
PID 1556 wrote to memory of 1764	1556	powershell.exe	powershell.exe
PID 1764 wrote to memory of 1800	1764	powershell.exe	WScript.exe
PID 1764 wrote to memory of 1800	1764	powershell.exe	WScript.exe
PID 1764 wrote to memory of 1800	1764	powershell.exe	WScript.exe
PID 1708 wrote to memory of 1204	1708	POWERSHELL.exe	cmd.exe
PID 1708 wrote to memory of 1204	1708	POWERSHELL.exe	cmd.exe
PID 1708 wrote to memory of 1204	1708	POWERSHELL.exe	cmd.exe
PID 1204 wrote to memory of 1312	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1312	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1312	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 840	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 840	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 840	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1036	1204	cmd.exe	cmd.exe
PID 1204 wrote to memory of 1036	1204	cmd.exe	cmd.exe
PID 1204 wrote to memory of 1036	1204	cmd.exe	cmd.exe
PID 1036 wrote to memory of 880	1036	cmd.exe	powershell.exe
PID 1036 wrote to memory of 880	1036	cmd.exe	powershell.exe
PID 1036 wrote to memory of 880	1036	cmd.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\moos2.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.vbs"
3⤵
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\cmd.exe
cmd /c ""C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
3⤵
- Modifies registry class
- Modifies registry key
PID:1312

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
PID:840

C:\Windows\system32\cmd.exe
cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1'"
3⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1'"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.bat
Filesize
706B

MD5
9999b95750b6f959dd0c3d4c7954f0ee

SHA1
22c4a26421cca8e30640ba82e0ef8b15d2a6237e

SHA256
9e728f939da712b6b01a3fab1965e4ae4c4f5cb58a25c948d29cf3c8dcc1dab3

SHA512
216408cc11036e3e62751962a850f53051e3804fdcc58ccd82b78d94952101bed9cae208e65508b167cfe2a6e71d045bd7daf391f39223c3029a65b2916eef88

Download Submit
C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.ps1
Filesize
3KB

MD5
4aa84ac8d8e1cb6f117e22afa522c7db

SHA1
7a8b3f44f002409efff5a108be66018547879531

SHA256
97cb4dd1f0737cf5628bcf0fe1ab310765ba991b00a5520d53e1b1afef0e874b

SHA512
b88a472648e2a9810b1f57a62414055a947549b8645f2bf407404ed69c2b8043b942ef775050791bd482ab0b13ee6192e3b638eef77cd9c4fdec3e08ae306cca

Download Submit
C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\TZOQCBINLOLHJQAPYIDAJV.vbs
Filesize
1KB

MD5
ffe187f86e83d51950c02f4dbbaa90f8

SHA1
b95682b36a27379ccd792d27a16967e881f4646d

SHA256
9bf3960d7875ec6f1547a480bc22dd0040d715620377422ca3aef9f0536ea093

SHA512
e6bac9e3c25707fef9ea7491bd69428fa2ee322bbc40e9b024fbb217120163dbb1e937f59bfd51e96f887fbc944aba3d3c59e8600900a1443733cd52af7db026

Download Submit
C:\ProgramData\TZOQCBINLOLHJQAPYIDAJV\YPSPPQWKQDKPVWZHQCIIQZ.ps1
Filesize
680KB

MD5
a0a0a7ebc8ad48aaf27cd5bcc77e387c

SHA1
3d84c33469f32a6bdc6158e36d5961d41de36600

SHA256
ad0d6f8a3e0d461e59b6288f417092e3f9d4f39706f51711d5597708d187117c

SHA512
1f74b19ebf00756dcc80c8381cd2a3f920731a69158752620a58b18acf3879f26abbc8e1931adcba2afd25639cf618fb3f9643871460bbbe0897f047e73e660e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0fd8fe3c0bda6443d19a0c53ee486e60

SHA1
864b76f5e88cd933544108c0439ceaf30a1e744a

SHA256
a75ebf980846a7ba1aa30c95094e6eafc5423ddd52cf2e3b08254c3d8d90f859

SHA512
3fb98388da95579d452845fe5637bc5e92c3956681db477cbb728867befe4f453e6a77294183b17d5d052ad37ecc733beb94026c6173121cf88b62afaf98f27e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0fd8fe3c0bda6443d19a0c53ee486e60

SHA1
864b76f5e88cd933544108c0439ceaf30a1e744a

SHA256
a75ebf980846a7ba1aa30c95094e6eafc5423ddd52cf2e3b08254c3d8d90f859

SHA512
3fb98388da95579d452845fe5637bc5e92c3956681db477cbb728867befe4f453e6a77294183b17d5d052ad37ecc733beb94026c6173121cf88b62afaf98f27e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a0cdc3db799c59863993b29c3f6edaf9

SHA1
6d0b6bb36c9209bcaeffe917f2d43842768defbf

SHA256
0f2ecf3b7bab1e6f049a965925505f8026f7b482401ac570eb70784aa9a20b68

SHA512
3f63b13d6d06fb2e5d1e4199e890b7a648d10d2b3ff218104c5c68dcb4ed75acde2a2204064310b948825045879e341878e7070123d1453893293b5e3dd14352

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8G4AGT02OXRCP1LCM0DS.temp
Filesize
7KB

MD5
0fd8fe3c0bda6443d19a0c53ee486e60

SHA1
864b76f5e88cd933544108c0439ceaf30a1e744a

SHA256
a75ebf980846a7ba1aa30c95094e6eafc5423ddd52cf2e3b08254c3d8d90f859

SHA512
3fb98388da95579d452845fe5637bc5e92c3956681db477cbb728867befe4f453e6a77294183b17d5d052ad37ecc733beb94026c6173121cf88b62afaf98f27e

Download Submit
memory/880-100-0x00000000023BB000-0x00000000023F2000-memory.dmp

Filesize
220KB

Download
memory/880-99-0x0000000002760000-0x0000000002786000-memory.dmp

Filesize
152KB

Download
memory/880-97-0x00000000023B0000-0x0000000002430000-memory.dmp

Filesize
512KB

Download
memory/880-96-0x00000000023B0000-0x0000000002430000-memory.dmp

Filesize
512KB

Download
memory/1556-67-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1556-62-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1556-59-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/1556-60-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1556-70-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1556-69-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1556-61-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1556-71-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1556-58-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/1556-63-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1708-90-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1708-89-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1764-80-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1764-81-0x000000000297B000-0x00000000029B2000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads