Analysis
-
max time kernel
124s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
B.PNG.ps1
Resource
win7-20230220-en
General
-
Target
B.PNG.ps1
-
Size
226KB
-
MD5
fb299e0e8ae35692f1541b2912812184
-
SHA1
4ef1f2589e960b9645a8010920da2b1caacdd350
-
SHA256
e2e4ce0315ef9f241c5d3ab09ccc9de3f8bd71f5388d8a4dd7fadd0a1110f266
-
SHA512
ba36c4ad9721ad46f2cd56a819643ed4d01804d76952638c1f7842d745c10ca0e70be874ad5e6de504627c4210545247b9da9312574fb0fc658fe13032450863
-
SSDEEP
1536:FeMD10HxuHY05UIy4rpmLoKZqcxU7SHzqQHw7rRim3ve0pAGFBQDVWQIypsc8bIX:gk0t0iInKWQIyjdZaRMXYxr315+3ApA
Malware Config
Signatures
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 888 powershell.exe 1004 powershell.exe 1704 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 888 powershell.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 888 wrote to memory of 756 888 powershell.exe 29 PID 888 wrote to memory of 756 888 powershell.exe 29 PID 888 wrote to memory of 756 888 powershell.exe 29 PID 1488 wrote to memory of 676 1488 taskeng.exe 31 PID 1488 wrote to memory of 676 1488 taskeng.exe 31 PID 1488 wrote to memory of 676 1488 taskeng.exe 31 PID 676 wrote to memory of 708 676 WScript.exe 32 PID 676 wrote to memory of 708 676 WScript.exe 32 PID 676 wrote to memory of 708 676 WScript.exe 32 PID 708 wrote to memory of 664 708 cmd.exe 34 PID 708 wrote to memory of 664 708 cmd.exe 34 PID 708 wrote to memory of 664 708 cmd.exe 34 PID 664 wrote to memory of 1004 664 cmd.exe 35 PID 664 wrote to memory of 1004 664 cmd.exe 35 PID 664 wrote to memory of 1004 664 cmd.exe 35 PID 1488 wrote to memory of 1952 1488 taskeng.exe 36 PID 1488 wrote to memory of 1952 1488 taskeng.exe 36 PID 1488 wrote to memory of 1952 1488 taskeng.exe 36 PID 1952 wrote to memory of 1992 1952 WScript.exe 38 PID 1952 wrote to memory of 1992 1952 WScript.exe 38 PID 1952 wrote to memory of 1992 1952 WScript.exe 38 PID 1992 wrote to memory of 1680 1992 cmd.exe 39 PID 1992 wrote to memory of 1680 1992 cmd.exe 39 PID 1992 wrote to memory of 1680 1992 cmd.exe 39 PID 1680 wrote to memory of 1704 1680 cmd.exe 40 PID 1680 wrote to memory of 1704 1680 cmd.exe 40 PID 1680 wrote to memory of 1704 1680 cmd.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\B.PNG.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn Nothing /tr C:\ProgramData\Nothing\Nothing.vbs2⤵
- Creates scheduled task(s)
PID:756
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {96A0FE4B-C7EF-4F64-B5FA-23AF4A9C1D89} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\Nothing\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Nothing\Nothing.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\Nothing\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\cmd.exeCMD /C POWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\Nothing\Nothing.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106B
MD52135f53fe669b95ef3dfc8159f002f35
SHA1784f7c804a8017298a0444961da570c54e234128
SHA256a012ee5f76492bcf0a72c415f098d0a0e21ea28f3a08e179089ed74ec1051134
SHA5126115083a87f84bbbd28607c407324539c9ae5e6834c6d18404ed516f993ab4f7fedb246c192257183dc429bf2a23b84c81fa52e608a3486666a0ecd001614b92
-
Filesize
225KB
MD5633e2bd5aad471f331d308b70df2cde7
SHA1187f14b57103beffada3b283eeba4f528a466b00
SHA256d1e4eab2f9cb99e6d3fcf39b82bfcf7cdc216cd355570b8305c15877889afcea
SHA5127c36819998154344f6ae6c68b2f72d559fd92a088fd4a96c30b75727310cdcf36b4f42dc57f66a4e438ff1cac1fa121479e7d20630b7ddfdc1ebb520b343fb80
-
Filesize
124B
MD5617f5a86804776b6e4153709d03fd144
SHA12abe924e3ada5b487a9a67ee22e8e1c21a47b516
SHA256b582e1508d3cc895cbb37a547a770a62e1c02ec555265f7bd231c734127b3867
SHA512a40b25239589f3029a837077c639633e966f69c6c4096db1cad526e849fd5a44bef01270dc4f20049829ed8e85f1fae3e6e0b3d4be8c049d7c974df958136842
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f38b34292f21c48f9c8bb29f52996958
SHA15e6855b407b86d8b8037257e9136f455191c0f37
SHA256a12d6c5d38997595ca51f04c06644b535d61d0ca8edfa2dd1330b0ccbf393e17
SHA512c0118d98c11e68c0116f649a69e92c791fbd0cfffe94f2fb089af51c2ec3e5e31edf748320be7d4695c18294fb465fd75be35e9157342eaf69e793f3d0f2c5cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d07e097d008a8343054dd7e2f4585475
SHA1d35cccb156bf9977b02561137a63028bd1102cdf
SHA25664e5b405fceae8bb16d1481f40a2e5ca22bc5a64468a3fd6576ad45e15d4050a
SHA512c49ab6dd37ed1cd77e289127b27eaf1c5d998ca750ecb28dca20199115a954e5290e7ac3d8cf95778b7de276f026b8ba91da9f0d7b80948ca60703624cb491bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J5H186Z0T0KT7TF0FZJ7.temp
Filesize7KB
MD5d07e097d008a8343054dd7e2f4585475
SHA1d35cccb156bf9977b02561137a63028bd1102cdf
SHA25664e5b405fceae8bb16d1481f40a2e5ca22bc5a64468a3fd6576ad45e15d4050a
SHA512c49ab6dd37ed1cd77e289127b27eaf1c5d998ca750ecb28dca20199115a954e5290e7ac3d8cf95778b7de276f026b8ba91da9f0d7b80948ca60703624cb491bd