Overview

overview

10

Static

static

1

fa9fe798ce...bd.ps1

windows7-x64

10

fa9fe798ce...bd.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19/05/2023, 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa9fe798ce4705a1ccbb22f8cb813c84e4abce585413eb7e26f0934443e75dbd.ps1

  • Size

    689KB

  • MD5

    e26e685d51988b2ae00c8e7a4ef256db

  • SHA1

    ba09428d9fdaadcd92a578d12a48dcb61d331856

  • SHA256

    fa9fe798ce4705a1ccbb22f8cb813c84e4abce585413eb7e26f0934443e75dbd

  • SHA512

    dc362252519f2637577e4b6fa3bc7df69cfa937fe9eaa78d078bfd24d4ea5b887f90319d1ae918b10c3ec081bcb35a7d436a173cae712d4d6e2f4f8f8af65eef

  • SSDEEP

    1536:or/BsVwGJ9iOowdWIa/aEgRJWb+pifHNutiQ3JlqmbNNnLRS2EFurYdq7PbAeVh/:N

Score
10/10
persistence

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\fa9fe798ce4705a1ccbb22f8cb813c84e4abce585413eb7e26f0934443e75dbd.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.vbs"
        3⤵
          PID:1112
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.bat
      1⤵
      • Process spawned unexpected child process
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:1696
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:1688
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\TIOLAMAQZCXELAASSIUYRE.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\TIOLAMAQZCXELAASSIUYRE.ps1'"
            4⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:288

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\TIOLAMAQZCXELAASSIUYRE.ps1
      Filesize

      680KB

      MD5

      913fe9d33cd6ef2c4ebc889f4049fcb1

      SHA1

      81e4d4e544826c094d6495bd480d12a560c97383

      SHA256

      85f77b983b441d538d075e87735e258404bc13f6675926d0c1c31536174b4247

      SHA512

      90ab84610401dc35145a4a20e874d67a7bac4a3b10148a282c9ec6721de9540f1fa23429bcd875adeae76bc13b5525ae237149589afeaacb4493191ecb5fa483

      Download Submit

    • C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.bat
      Filesize

      707B

      MD5

      71b7d7741aba59c5a096986dd27a085c

      SHA1

      9f7f17aae92e12885f7e5ed0ae2102765f07ae0f

      SHA256

      3e3b898765a75dbda0e4c37940d37afb415f9355ebe1ec3ca0b507f29b1a3b61

      SHA512

      49bbe38d0c8baf47f14cb9f8377374da4f49c0427b95f96c30662f04838742bd1076b464b881723ffe45f5430ce0cb0826a5b51fe80182658608cdb160c70006

      Download Submit

    • C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.ps1
      Filesize

      3KB

      MD5

      ab20632280fe70bb33581771ef8fe878

      SHA1

      aad5a8e65a1f303eb9c74801a3a6eef1f3b35845

      SHA256

      890aef85a88c0e67d232ff49486bec704ba08388ff38bfa46dc82c174c67e06f

      SHA512

      828f12ccc30a2bfd741570bae849f0f44b88b0b7c00ff969690fec43f072615a42243726b6096918dfec249abd1d74e3878d31bac6ab8558f97858a74f9d8c69

      Download Submit

    • C:\ProgramData\WEAZNVCMXZAAQLAKIPOINAQ\WEAZNVCMXZAAQLAKIPOINAQ.vbs
      Filesize

      1KB

      MD5

      9e5180857489aa1194c07ae92b511f41

      SHA1

      25dc65d65d7a5bbfcdc296f159cd873ea4f892db

      SHA256

      87b4be8edf48f7c11a1798c345f2835cc873d467f839a380acdea6755ec30721

      SHA512

      7a0c633fc8722f64a42aef2b679bbb00b771e3689a2daece3cf463729ec2fd0c292f7dc44d9599313ceefd667ddcd7d59becaca32d4cedf953f4fccd97f39977

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      97f981bde22e780e8437e4523b755cec

      SHA1

      647afe4b5b9de9cbb365d0cabce0e1b30db4e0c8

      SHA256

      38c928e713a93edc634ac0426772ef288854a113956d52a4115f0bcce5922c8f

      SHA512

      aca185aa44c07f8228c822d6ff97a62990de742637355c33363a905816ee0b88dba0e7a83469e503a597bcb4398fd074dc79a61a243a22d704f9cebb77e9fa6a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      97f981bde22e780e8437e4523b755cec

      SHA1

      647afe4b5b9de9cbb365d0cabce0e1b30db4e0c8

      SHA256

      38c928e713a93edc634ac0426772ef288854a113956d52a4115f0bcce5922c8f

      SHA512

      aca185aa44c07f8228c822d6ff97a62990de742637355c33363a905816ee0b88dba0e7a83469e503a597bcb4398fd074dc79a61a243a22d704f9cebb77e9fa6a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      7051c6495c3fee6bb4e2855f78b96bf5

      SHA1

      ae984304e7f75633f946d87d04a963f20635ab30

      SHA256

      ab39f89d3dd35f9f24639a85e471d6001e22430a5cb73c68320ba8e8732f0e36

      SHA512

      d9029add54b5fcfc38aa3ff15e7315ec0441412d0c9063924bfbb5b86617c0081125b5ee976cd97dff21779c16ed9092b37ce20d6b713f866767bef295680089

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q65BELNEPSFPC5DYJGJY.temp
      Filesize

      7KB

      MD5

      97f981bde22e780e8437e4523b755cec

      SHA1

      647afe4b5b9de9cbb365d0cabce0e1b30db4e0c8

      SHA256

      38c928e713a93edc634ac0426772ef288854a113956d52a4115f0bcce5922c8f

      SHA512

      aca185aa44c07f8228c822d6ff97a62990de742637355c33363a905816ee0b88dba0e7a83469e503a597bcb4398fd074dc79a61a243a22d704f9cebb77e9fa6a

      Download Submit

    • memory/288-103-0x0000000002590000-0x0000000002610000-memory.dmp

      Filesize

      512KB

      Download

    • memory/288-101-0x0000000002590000-0x0000000002610000-memory.dmp

      Filesize

      512KB

      Download

    • memory/288-104-0x0000000002590000-0x0000000002610000-memory.dmp

      Filesize

      512KB

      Download

    • memory/288-102-0x000000001B600000-0x000000001B626000-memory.dmp

      Filesize

      152KB

      Download

    • memory/704-95-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/704-91-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/704-89-0x0000000001E60000-0x0000000001E68000-memory.dmp

      Filesize

      32KB

      Download

    • memory/704-88-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/704-90-0x0000000002960000-0x00000000029E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/704-87-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1316-69-0x0000000002750000-0x00000000027D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1316-71-0x0000000002750000-0x00000000027D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1316-70-0x0000000002750000-0x00000000027D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1316-58-0x000000001B380000-0x000000001B662000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1316-68-0x0000000002750000-0x00000000027D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1316-63-0x0000000002750000-0x00000000027D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1316-62-0x0000000002750000-0x00000000027D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1316-61-0x0000000002750000-0x00000000027D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1316-60-0x0000000002750000-0x00000000027D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1316-59-0x0000000001F10000-0x0000000001F18000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1512-80-0x0000000002A84000-0x0000000002A87000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1512-81-0x0000000002A8B000-0x0000000002AC2000-memory.dmp

      Filesize

      220KB

      Download