10a63fb12bcb5c72c8effdb907ecf4c5aceb8e4bf8808bac6465f9465f43a2e6

General

Target

Evase.ps1
Size

44KB
MD5

4b1cde30773cfe42d8ddd4a24c59399a
SHA1

b3859a6fe0b39962cf38df5f66558b9d55bcb3cb
SHA256

3761698e158636a22a815734694031ff8bc2397e27a23c19e8cb4b7241922d9f
SHA512

37f25caeb8ecbd1cefc679c75b6e8d5b0473d1eeb96a9a7a9dc419d3768f861d3cbd9207f5faa9ea1995ff93f780cddcea224111c754d5066b5fc85325209ef8
SSDEEP

768:cbO324Al+vmvBZu2hUjBlFXNUBLkRxA79AdLbPooBYqLIbuq2JS6/UzBf2n7laJB:cqLwvBZzhqB/NURJEPoiBLIq3Jz+f2RK

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1464	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe
Token: SeShutdownPrivilege	1464	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe
1464	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2664	1996	powershell.exe	29
PID 1996 wrote to memory of 2664	1996	powershell.exe	29
PID 1996 wrote to memory of 2664	1996	powershell.exe	29
PID 1996 wrote to memory of 2820	1996	powershell.exe	33
PID 1996 wrote to memory of 2820	1996	powershell.exe	33
PID 1996 wrote to memory of 2820	1996	powershell.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Evase.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
  2⤵
  PID:2664
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "1996" "1144"
  2⤵
  PID:2820

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259420441.txt

Filesize
1KB

MD5
12ed6186e716223c8f9949c9ebfcae0d

SHA1
00373bbefb2a142a91a2e91f525eeb3ebf7aeabf

SHA256
4d285fdbdc7da83453d1c6d467a479b16be1b1ff89c19f1e126b2c3f3ed4d7bd

SHA512
d9ab4997a89e613df06b9348eb23b78c2f4b5d4e52e3994c2a650e9e052dfc5196474ab889cbc00bcc504639387fe3f150e53eda7cdadc2490ca64f74340c0e2

Download Submit
memory/1464-23-0x0000000003B00000-0x0000000003B10000-memory.dmp

Filesize
64KB

Download
memory/1464-19-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/1464-18-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/1996-7-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1996-9-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1996-10-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1996-12-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1996-13-0x0000000002A00000-0x0000000002A04000-memory.dmp

Filesize
16KB

Download
memory/1996-8-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-16-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/1996-17-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-4-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/1996-6-0x000007FEF56B0000-0x000007FEF604D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-5-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads