Analysis
-
max time kernel
106s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
t.ps1
Resource
win7-20230220-en
General
-
Target
t.ps1
-
Size
226KB
-
MD5
2e5964cc837e99181da8fbb1a72459f4
-
SHA1
554eccb95fd042e7b59ae59009e66c02d40bc606
-
SHA256
bf2d33230f6da074a70938e96042a56f340d26b34511ddd254e10a0293f746b6
-
SHA512
5f5a3b257260f752ce6b4be76df05784778bc1173f58bf540e05533ef2258fb57163089636fb8f9e46b0ab5e1677b049b8b75fa7622165d3ed2154e3230bee5c
-
SSDEEP
1536:eeMD10HxuHY05UIy4rpmLoKZqcxU7SHzqQHw7rRim3ve0pAGFBQDVWQIypscdLNk:1k0t0iInKWQIyj37vB1rsz131513ApG
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1676 powershell.exe 1272 powershell.exe 1924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1676 wrote to memory of 1064 1676 powershell.exe 29 PID 1676 wrote to memory of 1064 1676 powershell.exe 29 PID 1676 wrote to memory of 1064 1676 powershell.exe 29 PID 560 wrote to memory of 1324 560 taskeng.exe 31 PID 560 wrote to memory of 1324 560 taskeng.exe 31 PID 560 wrote to memory of 1324 560 taskeng.exe 31 PID 1324 wrote to memory of 1372 1324 WScript.exe 32 PID 1324 wrote to memory of 1372 1324 WScript.exe 32 PID 1324 wrote to memory of 1372 1324 WScript.exe 32 PID 1372 wrote to memory of 108 1372 cmd.exe 34 PID 1372 wrote to memory of 108 1372 cmd.exe 34 PID 1372 wrote to memory of 108 1372 cmd.exe 34 PID 108 wrote to memory of 1272 108 cmd.exe 35 PID 108 wrote to memory of 1272 108 cmd.exe 35 PID 108 wrote to memory of 1272 108 cmd.exe 35 PID 560 wrote to memory of 912 560 taskeng.exe 36 PID 560 wrote to memory of 912 560 taskeng.exe 36 PID 560 wrote to memory of 912 560 taskeng.exe 36 PID 912 wrote to memory of 1684 912 WScript.exe 37 PID 912 wrote to memory of 1684 912 WScript.exe 37 PID 912 wrote to memory of 1684 912 WScript.exe 37 PID 1684 wrote to memory of 840 1684 cmd.exe 39 PID 1684 wrote to memory of 840 1684 cmd.exe 39 PID 1684 wrote to memory of 840 1684 cmd.exe 39 PID 840 wrote to memory of 1924 840 cmd.exe 40 PID 840 wrote to memory of 1924 840 cmd.exe 40 PID 840 wrote to memory of 1924 840 cmd.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn log /tr C:\ProgramData\log\log.vbs2⤵
- Creates scheduled task(s)
PID:1064
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CB380C0F-6EDA-44DA-B82F-FF6E4A6BDCDE} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\log\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\log\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD51c0e3a11c13201e27ad546a96ba9b235
SHA1fc8c268814b29dd7355380303ccf915c6a0a46de
SHA25673de662f4a968fe1d94e3e29cfdd0a8f7e79f914cae64eca32ba55595c6b82e3
SHA512cb30385e2813e75a02e99afbd1a7f1f288200140d1dc0e716facb708e21a4dd13581fa580a5b0e81b1c3080d107c10f3e44ab5891123236c7f9f3ba2aa31532a
-
Filesize
225KB
MD545115fc43fe6bfb9015eecb6a682fca1
SHA135d5822da06aa21432025d74fb2b2baaa8dbffe1
SHA256f501fd1cf1abab6ab840e26c5032b344ebec05c1446b160088469cbdc095303b
SHA5121f4223e9480007b73c97215af1bd60a57d361a72be6f32c787c1760024c94aa4824d313391351e7bf8dcf9cbe8a0e4e9aa14a71864a08153c5584e680ca8dedc
-
Filesize
120B
MD56be0eb96c776c22e099d7643281026f5
SHA10f4934d51d6b7dd2a82cfe2d574c1994fe0aa67b
SHA2563e8f8fc88258f73995eaa6ce64e5093709b1386171512161e5f0ab81c9424503
SHA512d0c4113016953135bd1cbb6d7504918b10e503467699bd342acd4981bccebc77a1cb054c56b82ef06847cff43da4d6266f4a281ec734e75244aeac8f510e999b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a74761d326dcdc75d2e89632247723e2
SHA1b4225ab523876b444d09e6a04ee5f8d25802b89e
SHA2560a4fbe52401d4f409a380d4bbefba55eb81d20cfe76fdcf90f0a9e4f6678d625
SHA5127ee2e0e3b1560019da051dde660044c95a0526426268f5443e1a45884b485a01819e91d637c1c23d946df98405d4e0c854d5f53708ecf833c3362df2bed2c1ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5812c5dfc890226509dac774c05d379a7
SHA1c7439fc84a0c5da6b762d153cb2a16e7e69b0abc
SHA25639236eaf7107912160047b44b82776e228d32c9ffcc6476f622cc816a0c03c6c
SHA5124a3041fb4ea9db175f2d4593c64fec58fbdcc7f33bf3de6efe0a81d637928ffcd22141bb3e6515678766479173b446776844bf46d822e40b302c0a8362a243c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D1NYQN7KJQUH8THQC22T.temp
Filesize7KB
MD5a74761d326dcdc75d2e89632247723e2
SHA1b4225ab523876b444d09e6a04ee5f8d25802b89e
SHA2560a4fbe52401d4f409a380d4bbefba55eb81d20cfe76fdcf90f0a9e4f6678d625
SHA5127ee2e0e3b1560019da051dde660044c95a0526426268f5443e1a45884b485a01819e91d637c1c23d946df98405d4e0c854d5f53708ecf833c3362df2bed2c1ec