Analysis
-
max time kernel
126s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
t.png.ps1
Resource
win7-20230220-en
General
-
Target
t.png.ps1
-
Size
226KB
-
MD5
2e5964cc837e99181da8fbb1a72459f4
-
SHA1
554eccb95fd042e7b59ae59009e66c02d40bc606
-
SHA256
bf2d33230f6da074a70938e96042a56f340d26b34511ddd254e10a0293f746b6
-
SHA512
5f5a3b257260f752ce6b4be76df05784778bc1173f58bf540e05533ef2258fb57163089636fb8f9e46b0ab5e1677b049b8b75fa7622165d3ed2154e3230bee5c
-
SSDEEP
1536:eeMD10HxuHY05UIy4rpmLoKZqcxU7SHzqQHw7rRim3ve0pAGFBQDVWQIypscdLNk:1k0t0iInKWQIyj37vB1rsz131513ApG
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 764 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1268 powershell.exe 1468 powershell.exe 1628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 1468 powershell.exe Token: SeDebugPrivilege 1628 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1268 wrote to memory of 764 1268 powershell.exe 28 PID 1268 wrote to memory of 764 1268 powershell.exe 28 PID 1268 wrote to memory of 764 1268 powershell.exe 28 PID 1768 wrote to memory of 1640 1768 taskeng.exe 30 PID 1768 wrote to memory of 1640 1768 taskeng.exe 30 PID 1768 wrote to memory of 1640 1768 taskeng.exe 30 PID 1640 wrote to memory of 1356 1640 WScript.exe 31 PID 1640 wrote to memory of 1356 1640 WScript.exe 31 PID 1640 wrote to memory of 1356 1640 WScript.exe 31 PID 1356 wrote to memory of 1476 1356 cmd.exe 33 PID 1356 wrote to memory of 1476 1356 cmd.exe 33 PID 1356 wrote to memory of 1476 1356 cmd.exe 33 PID 1476 wrote to memory of 1468 1476 cmd.exe 34 PID 1476 wrote to memory of 1468 1476 cmd.exe 34 PID 1476 wrote to memory of 1468 1476 cmd.exe 34 PID 1768 wrote to memory of 1920 1768 taskeng.exe 35 PID 1768 wrote to memory of 1920 1768 taskeng.exe 35 PID 1768 wrote to memory of 1920 1768 taskeng.exe 35 PID 1920 wrote to memory of 1972 1920 WScript.exe 36 PID 1920 wrote to memory of 1972 1920 WScript.exe 36 PID 1920 wrote to memory of 1972 1920 WScript.exe 36 PID 1972 wrote to memory of 320 1972 cmd.exe 38 PID 1972 wrote to memory of 320 1972 cmd.exe 38 PID 1972 wrote to memory of 320 1972 cmd.exe 38 PID 320 wrote to memory of 1628 320 cmd.exe 39 PID 320 wrote to memory of 1628 320 cmd.exe 39 PID 320 wrote to memory of 1628 320 cmd.exe 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.png.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn log /tr C:\ProgramData\log\log.vbs2⤵
- Creates scheduled task(s)
PID:764
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A128CDF7-9616-43F4-B8FE-2B577A25C89D} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\log\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\log\log.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\log\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\log\log.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD51c0e3a11c13201e27ad546a96ba9b235
SHA1fc8c268814b29dd7355380303ccf915c6a0a46de
SHA25673de662f4a968fe1d94e3e29cfdd0a8f7e79f914cae64eca32ba55595c6b82e3
SHA512cb30385e2813e75a02e99afbd1a7f1f288200140d1dc0e716facb708e21a4dd13581fa580a5b0e81b1c3080d107c10f3e44ab5891123236c7f9f3ba2aa31532a
-
Filesize
225KB
MD545115fc43fe6bfb9015eecb6a682fca1
SHA135d5822da06aa21432025d74fb2b2baaa8dbffe1
SHA256f501fd1cf1abab6ab840e26c5032b344ebec05c1446b160088469cbdc095303b
SHA5121f4223e9480007b73c97215af1bd60a57d361a72be6f32c787c1760024c94aa4824d313391351e7bf8dcf9cbe8a0e4e9aa14a71864a08153c5584e680ca8dedc
-
Filesize
120B
MD56be0eb96c776c22e099d7643281026f5
SHA10f4934d51d6b7dd2a82cfe2d574c1994fe0aa67b
SHA2563e8f8fc88258f73995eaa6ce64e5093709b1386171512161e5f0ab81c9424503
SHA512d0c4113016953135bd1cbb6d7504918b10e503467699bd342acd4981bccebc77a1cb054c56b82ef06847cff43da4d6266f4a281ec734e75244aeac8f510e999b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58f9e9803acb767ce26582a7994562377
SHA179343802d23cd332bc977c9f1fe3c510aea2cc98
SHA256dbd4c4096f54c8c57890e174f59b3e060837da818ebd86ed1df23f5658ec107c
SHA512b250efb93f9a172fed14a7a2cca17795a26fa4967f312152135ce3f52a02f6c71dd8ae6d1b5de08b9bb0ffbb18b3508d9eef2c2cd46ab7e17f8376ff7f63c1f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f5e4b8276f57ab37c21b51d1c00c3ce0
SHA10e9c208ed7d980445d220a8ea8b543a4112a9695
SHA25602603a0f98bbb4eb7f9e2cd532a4d8f3cdaa285b5d7888bd00f8c7d58b82579b
SHA5124d6085a8763071cc88fba0dc4c634cdd3eba196989a26aec97deaeb5910b0546414f2d1285d26b36f042077ce3013d21e5e95f637cbed699ae9fb03047fd5fb3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E0WGMBWWV9U1E4PLML0V.temp
Filesize7KB
MD58f9e9803acb767ce26582a7994562377
SHA179343802d23cd332bc977c9f1fe3c510aea2cc98
SHA256dbd4c4096f54c8c57890e174f59b3e060837da818ebd86ed1df23f5658ec107c
SHA512b250efb93f9a172fed14a7a2cca17795a26fa4967f312152135ce3f52a02f6c71dd8ae6d1b5de08b9bb0ffbb18b3508d9eef2c2cd46ab7e17f8376ff7f63c1f0