Overview

overview

7

Static

static

1

MIO.ps1

windows7-x64

1

MIO.ps1

windows10-2004-x64

7

Analysis

  • max time kernel
    145s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2023 03:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MIO.ps1

  • Size

    177KB

  • MD5

    f684a1986bcf0eb7504c5d2e048a58fa

  • SHA1

    a19b86a28274cf7efb3569697ff2ac78600d6b81

  • SHA256

    9a9150b442ee5251ef96117c30c32430fd77fada295bba515f1373647eee39ea

  • SHA512

    eb6bede4d57dedb7f0cd52dbb6c1e74ddc94c27414bb72f0a1544541c1793c08d350d69e57fab01a9af010f12504d4363007d9841acf8cb0d266723e8c1fa54f

  • SSDEEP

    1536:kscTU34eFxLzB+YTsqt1O8Jhfes/bBXEXSQuMjKYzKp/7Kf8vQfR315bMt53AplQ:iiJlKVfR315O3ApcXmTWX

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\MIO.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn Ultra /tr C:\Users\Public\Ultra\Ultra.vbs
      2⤵
      • Creates scheduled task(s)
      PID:2304
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Public\Ultra\Ultra.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $xmldoc = New-Object System.Xml.XmlDocument;$xmldoc.'Load'('C:\Users\Public\Ultra\1.bat');iex $xmldoc.command.a.execute
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4380

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    5b3fe3360d51d99169c014f6f425fef8

    SHA1

    914dbfc80ebd831ee27769e824ec1de19dd69fb1

    SHA256

    f6a703e122e6cd5bd10b31c1e869eb9b034f4114ad21f689b6d93819b7a65763

    SHA512

    5404bf581530160601fdaa9851c167fd68796a8ce15701097139eef7dc9ef0cf93446449fc1b5be2a23f4b57ad173aa8b35a48b9dedc948fe9e16e6a2bcd2170

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    261a898ae9cc6155cb3e0f9f6830c7ea

    SHA1

    d7190b5593d87a61f00f39e9e21672ab8437e3a8

    SHA256

    e4226f5a5e43a3d6d5c1df1d6e0d5f43117193e14cea1315f741da5eb147071e

    SHA512

    148fcafa801a3c9800ff99de6671ffb9e43e78c53c9fcbddba8a6da1fb047aca2a810391b467867972a04e3d1837527b694979110e4dc1f5d7ce757cd38127c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_505j2fzy.hy0.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Public\Ultra\1.bat
    Filesize

    87B

    MD5

    4ee58af859095268b79ca3481b7a8338

    SHA1

    d40e53d0973911e6b2d6b0e40fbf4d9e993789d3

    SHA256

    b5e7a7937f7cfd101219bd9d09616870cec0f91b9395596c06f4569e8803ac25

    SHA512

    825cce2fc80e8315f4f87a9e0750b48bc4000d3c153893705a831f6f7c7aa863e26cd9a12510b2318d057b9cb0c3565973fb06738a8499c45419021f22c692e6

    Download Submit

  • C:\Users\Public\Ultra\Ultra.vbs
    Filesize

    1006B

    MD5

    312da147d17e2d4b553c6651c0c1f148

    SHA1

    5622b427f49c79aa8c2bf742f0dcfa04227bf88f

    SHA256

    5ff7324f2517e8bf62c85a7f8b19faa080cb129a04f1ca9988a611d636cbf738

    SHA512

    8da54e1156b115a1d3172751bc6a2028153a288c20e05506b7acc77539438728df1d91e0a807bdbd2ac9a062390b5abf665029ce74ce635b6fcf70017b5c236f

    Download Submit

  • C:\Users\Public\Ultra\imcq.ps1
    Filesize

    176KB

    MD5

    281bc2ac798473bf08418713067d69f4

    SHA1

    0faba7fe78c27ef289ff4b3a442cfecdd78f9081

    SHA256

    4a643dc44428527ab89a5da1c3e4c3007e3eff7303d77d09d67a09600439c42d

    SHA512

    590737a732e57b5dbf2276d7c5b47f4c54e3e60a19c2a60c528981b2b168b72dcaea1f859b89217eead6a81a24522432412ef5d3f46f509d765a19859b17a404

    Download Submit

  • memory/760-144-0x000001D75EA50000-0x000001D75EA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/760-149-0x000001D75EA50000-0x000001D75EA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/760-148-0x000001D75EA50000-0x000001D75EA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/760-147-0x000001D75EA50000-0x000001D75EA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/760-145-0x000001D75EA50000-0x000001D75EA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/760-143-0x000001D75EA50000-0x000001D75EA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/760-142-0x000001D777B00000-0x000001D777B22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4380-168-0x000001A3FF290000-0x000001A3FF2A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4380-169-0x000001A3FF290000-0x000001A3FF2A0000-memory.dmp

    Filesize

    64KB

    Download