Analysis
-
max time kernel
145s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 05:34
Static task
static1
Behavioral task
behavioral1
Sample
B.ps1
Resource
win7-20230220-en
General
-
Target
B.ps1
-
Size
226KB
-
MD5
fb299e0e8ae35692f1541b2912812184
-
SHA1
4ef1f2589e960b9645a8010920da2b1caacdd350
-
SHA256
e2e4ce0315ef9f241c5d3ab09ccc9de3f8bd71f5388d8a4dd7fadd0a1110f266
-
SHA512
ba36c4ad9721ad46f2cd56a819643ed4d01804d76952638c1f7842d745c10ca0e70be874ad5e6de504627c4210545247b9da9312574fb0fc658fe13032450863
-
SSDEEP
1536:FeMD10HxuHY05UIy4rpmLoKZqcxU7SHzqQHw7rRim3ve0pAGFBQDVWQIypsc8bIX:gk0t0iInKWQIyjdZaRMXYxr315+3ApA
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1472 powershell.exe 1532 powershell.exe 1520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1472 wrote to memory of 268 1472 powershell.exe 29 PID 1472 wrote to memory of 268 1472 powershell.exe 29 PID 1472 wrote to memory of 268 1472 powershell.exe 29 PID 756 wrote to memory of 984 756 taskeng.exe 31 PID 756 wrote to memory of 984 756 taskeng.exe 31 PID 756 wrote to memory of 984 756 taskeng.exe 31 PID 984 wrote to memory of 680 984 WScript.exe 32 PID 984 wrote to memory of 680 984 WScript.exe 32 PID 984 wrote to memory of 680 984 WScript.exe 32 PID 680 wrote to memory of 644 680 cmd.exe 34 PID 680 wrote to memory of 644 680 cmd.exe 34 PID 680 wrote to memory of 644 680 cmd.exe 34 PID 644 wrote to memory of 1532 644 cmd.exe 35 PID 644 wrote to memory of 1532 644 cmd.exe 35 PID 644 wrote to memory of 1532 644 cmd.exe 35 PID 756 wrote to memory of 1212 756 taskeng.exe 36 PID 756 wrote to memory of 1212 756 taskeng.exe 36 PID 756 wrote to memory of 1212 756 taskeng.exe 36 PID 1212 wrote to memory of 1992 1212 WScript.exe 37 PID 1212 wrote to memory of 1992 1212 WScript.exe 37 PID 1212 wrote to memory of 1992 1212 WScript.exe 37 PID 1992 wrote to memory of 1224 1992 cmd.exe 39 PID 1992 wrote to memory of 1224 1992 cmd.exe 39 PID 1992 wrote to memory of 1224 1992 cmd.exe 39 PID 1224 wrote to memory of 1520 1224 cmd.exe 40 PID 1224 wrote to memory of 1520 1224 cmd.exe 40 PID 1224 wrote to memory of 1520 1224 cmd.exe 40 PID 756 wrote to memory of 1616 756 taskeng.exe 41 PID 756 wrote to memory of 1616 756 taskeng.exe 41 PID 756 wrote to memory of 1616 756 taskeng.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn Nothing /tr C:\ProgramData\Nothing\Nothing.vbs2⤵
- Creates scheduled task(s)
PID:268
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {68869657-4C96-4222-BE60-FF7741CF6351} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\Nothing\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\Nothing\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"2⤵PID:1616
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD52135f53fe669b95ef3dfc8159f002f35
SHA1784f7c804a8017298a0444961da570c54e234128
SHA256a012ee5f76492bcf0a72c415f098d0a0e21ea28f3a08e179089ed74ec1051134
SHA5126115083a87f84bbbd28607c407324539c9ae5e6834c6d18404ed516f993ab4f7fedb246c192257183dc429bf2a23b84c81fa52e608a3486666a0ecd001614b92
-
Filesize
225KB
MD5633e2bd5aad471f331d308b70df2cde7
SHA1187f14b57103beffada3b283eeba4f528a466b00
SHA256d1e4eab2f9cb99e6d3fcf39b82bfcf7cdc216cd355570b8305c15877889afcea
SHA5127c36819998154344f6ae6c68b2f72d559fd92a088fd4a96c30b75727310cdcf36b4f42dc57f66a4e438ff1cac1fa121479e7d20630b7ddfdc1ebb520b343fb80
-
Filesize
124B
MD5617f5a86804776b6e4153709d03fd144
SHA12abe924e3ada5b487a9a67ee22e8e1c21a47b516
SHA256b582e1508d3cc895cbb37a547a770a62e1c02ec555265f7bd231c734127b3867
SHA512a40b25239589f3029a837077c639633e966f69c6c4096db1cad526e849fd5a44bef01270dc4f20049829ed8e85f1fae3e6e0b3d4be8c049d7c974df958136842
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5614647975b625573447271943405080c
SHA10159d1fdece23f207e1aa7cb7676052d8e0cc4fd
SHA2563d9b1567e9703e6eb02e910f73b7e0c590f716c0dceacdb5681c272573fa80e8
SHA51213596242ab625385517e6206a085c8926104b090baff337c3ca35ecf8ab3d7c79338cffb086bd258044778e9a2943684f3e3b600c603f6901b99c9cbb43d96ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59b722da9a4f40066e58f798a8b473eab
SHA158fb49e834cff76f478b33a0f622c704aa817341
SHA25614e54ab80c704639d7ce27beedc7aa2542ccd9ee9fbb6fd42dd1e301db44076f
SHA51277933bddd553827f3d587a928b4dd7c47bfc6e517f1de2dfa582d2094de25508a271abf27a88f5c3025d2c3e72772540eb0d874cce22d32c6b61c83a23ed9cc0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DGS0SYYEAVCVPN1S38G2.temp
Filesize7KB
MD5614647975b625573447271943405080c
SHA10159d1fdece23f207e1aa7cb7676052d8e0cc4fd
SHA2563d9b1567e9703e6eb02e910f73b7e0c590f716c0dceacdb5681c272573fa80e8
SHA51213596242ab625385517e6206a085c8926104b090baff337c3ca35ecf8ab3d7c79338cffb086bd258044778e9a2943684f3e3b600c603f6901b99c9cbb43d96ab