c6d5288639389f37a0ccfa3139b1a72916133231245b7bca53d9734c6372747d

General

Target

1.ps1
Size

256KB
MD5

787c9472089b40d62f2bc7da5c1de59c
SHA1

42179eb8d1c990275a5e9920f14e91c91cf25db9
SHA256

c6d5288639389f37a0ccfa3139b1a72916133231245b7bca53d9734c6372747d
SHA512

d8cb1730e5d83366f472fd7cf72d4970b9e40ca1932e4a7a21e13e9dc81244b3f8c53c8937f0ce8beaabf50f12f0d391bf4a5385b51615bfe157439287847895
SSDEEP

6144:LhMHd8wF9VtLr3EXGpI5cGIE+QITgA5kE315N3Ap8:qHt9VtLr3EXGpI5cGIBtX

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1604	powershell.exe
1204	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1172	1604	powershell.exe	29
PID 1604 wrote to memory of 1172	1604	powershell.exe	29
PID 1604 wrote to memory of 1172	1604	powershell.exe	29
PID 1624 wrote to memory of 1756	1624	taskeng.exe	31
PID 1624 wrote to memory of 1756	1624	taskeng.exe	31
PID 1624 wrote to memory of 1756	1624	taskeng.exe	31
PID 1756 wrote to memory of 316	1756	WScript.exe	32
PID 1756 wrote to memory of 316	1756	WScript.exe	32
PID 1756 wrote to memory of 316	1756	WScript.exe	32
PID 316 wrote to memory of 384	316	cmd.exe	34
PID 316 wrote to memory of 384	316	cmd.exe	34
PID 316 wrote to memory of 384	316	cmd.exe	34
PID 384 wrote to memory of 1204	384	cmd.exe	35
PID 384 wrote to memory of 1204	384	cmd.exe	35
PID 384 wrote to memory of 1204	384	cmd.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn rxgeoyp /tr C:\ProgramData\rxgeoyp\rxgeoyp.vbs
  2⤵
  - Creates scheduled task(s)
  PID:1172

C:\Windows\system32\taskeng.exe
taskeng.exe {C04594F9-BFC8-458A-B12A-8ACAE1076DD1} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\ProgramData\rxgeoyp\rxgeoyp.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\ProgramData\rxgeoyp\1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\cmd.exe
      CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\rxgeoyp\ovzmbwj.ps1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\rxgeoyp\ovzmbwj.ps1"
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rxgeoyp\1.bat

Filesize
93B

MD5
9d73067db2c35a6f77fcfffde1b4a2f7

SHA1
6b7485524fc85e905eac3f1c477296cc60c7add8

SHA256
e20a5ef56dfff19fa50071a7b699b76440dfb51fa7212aee2e3d79fae7b6b017

SHA512
ca8cacbc1c8f6d38ca7cfcb24dda722b4fcdbcbdc319b0809d6c2ff5c6e0479c05e1553427cdabf1509442d9f615f4e7e6e5d671b85040c16f0b8e2630d24434

Download Submit
C:\ProgramData\rxgeoyp\ovzmbwj.ps1

Filesize
255KB

MD5
953b60e22e265a0f777146f35c21f0fb

SHA1
5ed3cd54fb7f767c5b918eef2b7f584808ccacdd

SHA256
2116cf89f97934ae20cbb230313559955a81947bf0fdc2d27fc3a4e2ec1ca766

SHA512
0142c4915eb3fda2b5a20ee3e18c8c84bd77366bd73df7d9f8cbdc04c74d81355e270b147a26c59fee36b99cca01f7a14950d269ade97626a308c6ae919b9b20

Download Submit
C:\ProgramData\rxgeoyp\rxgeoyp.vbs

Filesize
132B

MD5
7a447e5b052d7f9c811e7a0c5de9a547

SHA1
4046f5aacb9e5babadd7c90e8dbc8f9be95cf20c

SHA256
647cb144ba01cf2d859de13b5dd0cd613e5cd2275c9b57f569da46da32d6a400

SHA512
a1d18465f00174a48f810003623cc15c17d33789cb837757214ff4e481499828f522b8e6e89a873b4ffd95414dbd1e27920abf3a01f891819e54b750a8d2fb9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
170349668dab11c0610cd434b00dfd9a

SHA1
beada438a98ac87fc10f8322473b4c39fe38a814

SHA256
9a3afa1af573f0c46c25b24ca5de013a994cbef2e9665ef28cffa15980e564ac

SHA512
e4fa0cf8da7e73fbbcf5fa35ae0410e16bae99e8d9cedefa45f7a8a5c6e340b7aa1d6df1b67c145168f744ef024984886678a42e357fcc84adee2aabfa60af5e

Download Submit
memory/1204-76-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1204-75-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1204-77-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1204-78-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1204-79-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1204-81-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/1604-63-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1604-62-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1604-61-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1604-58-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1604-59-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads