Analysis
-
max time kernel
243s -
max time network
244s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
31/10/2023, 13:36
General
-
Target
https://download.newrelic.com/install/newrelic-cli/scripts/install.ps1
Malware Config
Extracted
https://download.newrelic.com/install/newrelic-cli/currentVersion.txt
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 24 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File https://download.newrelic.com/install/newrelic-cli/scripts/install.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.0.1654508879\1608045854" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ac8349f-ee14-47e3-a8e7-39c8274f660f} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 2032 1faccacf658 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.1.285684240\1054403348" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ca9779c-10eb-46e1-b2ef-44748d4b22c3} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 2380 1facc7fcc58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.2.2098807678\1341746152" -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 2988 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ce7f859-2cdc-4299-97ed-f884452b94ed} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 3020 1fad0998d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.3.1994598427\1397511480" -childID 2 -isForBrowser -prefsHandle 1028 -prefMapHandle 1328 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f9f75ea-ed3f-4080-a9af-457c46e3a7f0} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 3680 1fad0a0ca58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.4.1407509207\1943416095" -childID 3 -isForBrowser -prefsHandle 4180 -prefMapHandle 1688 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a3c7516-18b9-42d2-8ca7-09e035221bc3} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 4280 1fad2027658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.5.700269118\1689945508" -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0272f568-7e17-43c4-ae4c-383f3731fc51} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 5308 1fac002d558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.7.71160574\1035322101" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5248 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ef1896-bf3f-4bcc-86a3-899f7e2f3cd0} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 5504 1face128558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1612.6.1863031548\1423460669" -childID 5 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1368 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a80b9943-5436-4f55-a419-b815a8ba5182} 1612 "\\.\pipe\gecko-crash-server-pipe.1612" 5248 1face125b58 tab3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Downloads\install.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\install.ps1"1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Downloads\install.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exe"C:\Windows\system32\msiexec.exe" /qn /i C:\Users\Admin\AppData\Local\Temp\NewRelicCLIInstaller.msi2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e883783cbaae3ab9e4881e80d600864e
SHA1462d4ee15503d6ae41cfd6f9d0d1e72ec85d8d90
SHA256f019f8727a1332993481dcce6c2babbba223970dcb326432eac606e835fd5295
SHA512642c2f4f31fb829b4de5ea41019b6ca9836e9e277c5904a013f8fd440e55fa42047ce7da160973f42d8d80648830f41f9d05867db259cfd3d7094e8ab998dc96
-
Filesize
471B
MD501b9ce813efe124f49534075847fc96d
SHA136be0bc8357e8c2408e464354a9c9e629c161f8e
SHA25628f815ffca4be91b7dfe771a68a7a5a1bc669e7b2838ec4b19f5912b91d54a8c
SHA512e0955e4ac4e4e80311183ef7653a6c938d40977863a80626cd38b6349d1acb027089124e425ea75b33a22d23142b008c61b5bf5d6a74df4bf3056221eb079eab
-
Filesize
727B
MD5d27ba2efd045c4859eddea638af5c73b
SHA10499a6590da37718a31f423ca447dd6e790f6073
SHA256ef8c7c1a3b1b60d31af85a41aea42b60be628c2047126a7bc637fcf8f01bf3ad
SHA512a2177eb6982be2f4a6e5e564830d5e771657d27be92faea6c42efa6a15c89f3ac48c1bc9841d5a0277629e84a2740689c16a8a858d1aeac750e05bcccba6aa9a
-
Filesize
727B
MD5649ab1ec6627955e76deef26551857fb
SHA1991ba18ac0faab574ccad1e6b02be2d56f73f63f
SHA25694860a682896d1d7f6c82d72b62084e939c6d5b7a4646c0321c94b41409ab3d0
SHA5120cc921ef41c6f159161178e6380ebae02b5f49f69564594df0bb2b9ca7a5b5ada472d9d15a6f7c2d794ce67c7222bf513e1deb227eff862aa170acde3e593af4
-
Filesize
400B
MD5a562b1f4c6ff12192144f5c2ef1aba5b
SHA1dc947d557588e0a3cb816e30763047eac642ce7c
SHA256ca15ac476ae0f19d770e10ace091918d84c20a8f5ce595b8c3321d30b9588069
SHA512c253cd917451e75611e8d69fa1048b889eb44266cf896d623520fad2d8dbef89ef6f530a239c0750f9fc49d1db6d98fbedd7537b2252e19c6f430cb5722a4f7d
-
Filesize
404B
MD5fe1e2ddff94c4264c127427363610e50
SHA1d678ec2500dc04658cf6c197b46dacf4f1341e1a
SHA256d74a500122cccc7940f62c512d91e4e06cad31c3420705e85c6c8ca14c6263ce
SHA51208c4363c1c2543e0468622d5b5048a5ef160058b34b5c497db70e8b0acef71ce7b6a7d42496688ae81eec02edb1ef1f25dfb64ca87aea15d26d59f5a9df235ee
-
Filesize
412B
MD577714252288d296c8ca124725d4a83a8
SHA1636b6db90789a7b795d819731f36fefc0b21a0ed
SHA256b52ee40e3fdc8f67aa04c63fe950590391fe63246f078fe337315994a8637f14
SHA5122eb97a552ced1853a51cabd1d093f9346f799b174349cc53ee5bb8e0af6c5a1920abc14531960e337e76c69dd32a894d8c339c1e4240834a45cd7186f0e0a4fb
-
Filesize
3KB
MD5104462704900f94f83a7a816edcdd8e8
SHA19b1f0d518221af47065167e2bdb4ffe474849bf4
SHA2563989e6ced951ff0be273a3f46c955a79d973d68e7aa656d674752accce2d7d14
SHA5121ba1e0724b12e57e6a19d4dcf8a3d860418f5ac4f9fcd9c450ac0aa63e1a2859ab830e5bce11240a048c63e46e1cac0393465a40294f85816046df1e37d7ca96
-
Filesize
6KB
MD5d5f3199618894b20b6b620d0a4dbd85a
SHA16696d4186ca205dd306329f8a9f42d19f128f7ae
SHA2566914a945556c709f81a894b311fc52d8b379f8764b389d73b84c76c4c5c11575
SHA5126706ef8cae3f43a5802996bc5178257c30937780269e4fe0eda18de2613608acf620a32e9e5a33d4a6cf6be263dea4f1848bb16ed28a2fd907d1fd7c73d570f1
-
Filesize
53KB
MD56a1d732af6eb2d5e39917fb6d0d3cd40
SHA12981e90b27d16f79c07433cd177d5f77b0f26b42
SHA256fb7e11ee05163c7dbcc973b194c6789afe2d8949c693b2e5b5ae71eb615fd563
SHA51201750f3b62298f335786bcaddbd127c79c91cde0c2b2200dea8299e0a6ec45287b4cec597dfb556bde0d9ee7ac1227aeb26f05b7ca4859e6633aa202128dfca8
-
Filesize
53KB
MD545b3349cd56d5b56feb892ec012b6b6b
SHA12149103ee3136979daa139ad0749c0ab9180ec5e
SHA256bf4b69d9271f4a2f49e84cd1f2127c1b0d178a3e44be9d0d165885de6d44cd6d
SHA512b39ae94dd800997082b9d85c3bd4cd0761466570b81c11423bc6332a9c6548acc106140bf4b786538fc54ed238a8ed7c1c230c234e86ee2f0bcbd7ea31f15be1
-
Filesize
10KB
MD5884f444ea2c2ea8fac20bc53f1910e9d
SHA1baeb786c7badf71c870bcaafbea80a048453b11f
SHA2562c69caddbfe68a861e06d8abd4ddfcd89ba5073422d750d670951bfb9740a944
SHA5123182e6f1c9ebe1e9f99984b1d6f64fe5eb69181c08ed35bf6a5625222fd6abd605f7f43e3f61fce31552d3be3d7caa343181a15781f52153ef527dfd8083dee5
-
Filesize
10KB
MD5884f444ea2c2ea8fac20bc53f1910e9d
SHA1baeb786c7badf71c870bcaafbea80a048453b11f
SHA2562c69caddbfe68a861e06d8abd4ddfcd89ba5073422d750d670951bfb9740a944
SHA5123182e6f1c9ebe1e9f99984b1d6f64fe5eb69181c08ed35bf6a5625222fd6abd605f7f43e3f61fce31552d3be3d7caa343181a15781f52153ef527dfd8083dee5
-
Filesize
23KB
MD556c57cb2948566fd3afbe1b4141f3031
SHA1f10f718a5daf06783c308cae31016b04fad77049
SHA2566244a474d2512db0d1ec5c08d2cf02b201410c9850f27b2abbb5d7e065712762
SHA5120fde2402003a1f7cc969c3a45d4cc41ecc4f4cfe7f75dee615a56c3ea68f696b7bf28bfff8e9c6a34e8b395c6e5e9b67bb8e582e494d57305f35abc206540669
-
Filesize
7.3MB
MD55f3b5256d897e0c62bd0a23dfc83509f
SHA1fcc2fffccbb99a447cca97621daaafd3bcc8eaf0
SHA25631601a99892f9b409411bd1cfc307671304c578407974d1d068a735c85b3b6fd
SHA51203cb7c44ead92d933f9fdade85b307c1b38034b7cf73e8af80ddab66990eac56ed7edf618deeead9b155f87dbcfe64157014ee08d62aa62458f3f39940c7cb74
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7KB
MD5baabdccfababae9c1b8c72d148fe6774
SHA1186b2e9a07643efdc34a958295a7a496657e37d9
SHA256be4ddbfbd6bbc20ce10966d9fb6309005feb20d283b36ed2250a7ca8238e7d16
SHA512ce6ae081b8531e3a9167a7e749fab5bd4d8bdd18654827ea73b8779c19d9d3baadd3f76bfc95c3007f1493e4fb34228321661a459a3c69ae38e9ca0070ba8b79
-
Filesize
6KB
MD51cdf7fe6a20541ec907b4763c8230022
SHA139ff340aedb4ccd7b49dcd24185b6af7ffe585e5
SHA256b580ec57518295ae2625e50a93ddb601b579723c5c24c57a8ebc883c4a198b24
SHA5125f89ffc7742ceb7a8b6ec27ae9ec07997174ebcfdf9b7adf69dd751de3e75a86629e54cea259e3148aef6394423b34a628beb285e5e2170f5c186363c809a2e1
-
Filesize
6KB
MD512fcf3d7c3b39cc6b883630a8d35615d
SHA147127dc4e888cb5a15883e10f46e2b3c35dca39c
SHA256217877941d67e1c4573b08f56a8e8492d26313631f57dc4a3eb479ef64c15998
SHA51249ecc783c8251beb065e6d597137a963b0acdde88b2335ccb8aa1ce1d9d1e02c3bcb9711d121bd549320b4c412ada742bbd2f8f38904ab034e5290ed824af26a
-
Filesize
259B
MD5c8dc58eff0c029d381a67f5dca34a913
SHA13576807e793473bcbd3cf7d664b83948e3ec8f2d
SHA2564c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17
SHA512b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4
-
Filesize
1KB
MD50b459fa33b71a694e839ccc7746fbf4d
SHA1474058bb96eb2759c61600a673a2fc1bcd9fac48
SHA256965e1c154557ab2c4d5e332809434ff92b8fc84814302124334f29bedd962c2a
SHA512a3628de764ff07b2681aa0518bd430b5be7cec3ab37c3ba5633bb23ee0cb8af219f3ce1c5c05007cdafbc25e082daaa33ae2ab3f2adf014443fb2145ca9502ee
-
Filesize
1KB
MD508a3f054a574977ebf41a366368f70ec
SHA1ae2f17f39996329251729cbbe501dac133fd8b6d
SHA25622ab08300732529ddb674497ed7902084d395c4ac218ac6a45c54481d2859161
SHA512b60846c1259c8cf6a7341504b887f5962e98cd1a97ae7f39678a748c55ae7f4661d9ee46428cb5602471f0470ffdd0eaa76bfde169d1e29d1d16ca359b5b935f
-
Filesize
981B
MD5e36f9207ba362ffa46fbcca4e0bd155d
SHA10fb80d0f60b3147f601e26c6d6fd9bd9be8b6dde
SHA2568d37305f10a932c7c27fdd78a00d61f60f9776bee08f8de26feaa46d8c0c7d1a
SHA512609c9425f9680ca8587ad1d66da48cf144a39ceacd39fb7bcbc8855bd6e959974d4382bba1495f80c29679a88dce941d2e661e477feb78430de0608bbbc629f8
-
Filesize
15KB
MD5fb198f16c24af233830ab9d2cc378619
SHA103b54ec7bc7e4103f7ca28060dbc8d7f693d4486
SHA25690866d282dc1be65867968d2c0d073ed0a5742b924021187595f74c29138cf12
SHA512b00e0c178f4359b332e60c0972722acead05d01eb9003ec6d18c6853337b6f02f8cf8e21712f1b0f9745981796e1e13cbd0f0d31d7e342f317c8f495e9e39e8b
-
Filesize
15KB
MD5fb198f16c24af233830ab9d2cc378619
SHA103b54ec7bc7e4103f7ca28060dbc8d7f693d4486
SHA25690866d282dc1be65867968d2c0d073ed0a5742b924021187595f74c29138cf12
SHA512b00e0c178f4359b332e60c0972722acead05d01eb9003ec6d18c6853337b6f02f8cf8e21712f1b0f9745981796e1e13cbd0f0d31d7e342f317c8f495e9e39e8b
-
Filesize
7.3MB
MD55f3b5256d897e0c62bd0a23dfc83509f
SHA1fcc2fffccbb99a447cca97621daaafd3bcc8eaf0
SHA25631601a99892f9b409411bd1cfc307671304c578407974d1d068a735c85b3b6fd
SHA51203cb7c44ead92d933f9fdade85b307c1b38034b7cf73e8af80ddab66990eac56ed7edf618deeead9b155f87dbcfe64157014ee08d62aa62458f3f39940c7cb74
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
152KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
296KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB