Overview

overview

10

Static

static

1

PMOy4QqKcU...PF.zip

windows7-x64

1

PMOy4QqKcU...PF.zip

windows10-2004-x64

1

1.bat

windows7-x64

1

1.bat

windows10-2004-x64

1

detonator.cmd

windows7-x64

4

detonator.cmd

windows10-2004-x64

7

dqjg.ps1

windows7-x64

1

dqjg.ps1

windows10-2004-x64

1

dqjg.vbs

windows7-x64

1

dqjg.vbs

windows10-2004-x64

3

th5rk551.uku.ps1

windows7-x64

1

th5rk551.uku.ps1

windows10-2004-x64

1

vuso.ps1

windows7-x64

1

vuso.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    98s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2023 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dqjg.ps1

  • Size

    125B

  • MD5

    e1b26d57301dd20ec11d8ccd7773bd6b

  • SHA1

    ba166cf9ce418fa1f2449145757f90bd62290122

  • SHA256

    fba319eab7709626794b7d7df3bccb40cb94e9bf848d87514048ee63e3a72167

  • SHA512

    90e15fadf0811df2a019b1f0d38a1b012d2721aab2e541f73628bfa967b3a40b96e747ce5272ab039b7093b3e7a11484c57916b90269aec18956f0441657cd32

Score
1/10

Malware Config

Signatures

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dqjg.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:692
    • C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn dqjg /tr C:\ProgramData\dqjg\dqjg.vbs
      2⤵
      • Creates scheduled task(s)
      PID:1832
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {148E4333-704E-4CDC-8558-D0AA4C1A4236} S-1-5-21-2813141852-3076131560-4232376420-1000:GASCZFTR\Admin:Interactive:[1]
    1⤵
      PID:456

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/692-58-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/692-59-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/692-60-0x00000000028E4000-0x00000000028E7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/692-61-0x00000000028EB000-0x0000000002922000-memory.dmp

      Filesize

      220KB

      Download