ae0ef6f7368de8b504832aadf49b703a40c30aba33a9077d77cec13ff7bb2ab0

General

Target

30042024_0855_lnvoice_bill___(83737738837)388475.ps1
Size

267KB
MD5

a27a0d0efc218a34b3869de11abc6f96
SHA1

c76826e0326325c3381e8f59b176077c2f717bba
SHA256

ae0ef6f7368de8b504832aadf49b703a40c30aba33a9077d77cec13ff7bb2ab0
SHA512

e79ec4ce989c0b54747d9d85dcef3f52021defe66a48c2ac57b76c6f1f6318a75b916e0fa575bb4304415e5cfc820356f378b164b818175c1b1d3ce8e644c9b8
SSDEEP

6144:SGNQeKCEIqQWVUBFJHFet4UHjbpjDB7oHv+JUB93CsL9QIH/zT:SGNQeKCEIqQWVUBFJHFelD1DB7oHv+Jk

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1728	powershell.exe
1728	powershell.exe
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2748	1728	powershell.exe	29
PID 1728 wrote to memory of 2748	1728	powershell.exe	29
PID 1728 wrote to memory of 2748	1728	powershell.exe	29
PID 2748 wrote to memory of 2652	2748	WScript.exe	30
PID 2748 wrote to memory of 2652	2748	WScript.exe	30
PID 2748 wrote to memory of 2652	2748	WScript.exe	30
PID 2652 wrote to memory of 1756	2652	powershell.exe	32
PID 2652 wrote to memory of 1756	2652	powershell.exe	32
PID 2652 wrote to memory of 1756	2652	powershell.exe	32
PID 1756 wrote to memory of 2496	1756	cmd.exe	33
PID 1756 wrote to memory of 2496	1756	cmd.exe	33
PID 1756 wrote to memory of 2496	1756	cmd.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\30042024_0855_lnvoice_bill___(83737738837)388475.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Express\xx.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\Express\xx.bat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\ProgramData\Express\xx.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn Express /sc minute /mo 3 /tr "C:\ProgramData\Express\Cotrl.vbs"
        5⤵
        Creates scheduled task(s)
        
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Express\xx.bat

Filesize
95B

MD5
43ff49fbde6f4391891cf2a46b406da4

SHA1
695b9eb511af67cab16d5cf108258947f864e2da

SHA256
5ad35cc29456c109608243d046951e541ee44aef379eea3a5304e6a17a1b806f

SHA512
ac9e4fb602412aedc65dd5ac312b7c61d4ed183d4e2150d98c4b5c485caafc3a42f3c26fdfc68c4a305e1a9ed40e9b63898f02932a3247019d2c66d822939364

Download Submit
C:\ProgramData\Express\xx.vbs

Filesize
775B

MD5
c840c0438f2fae0ddda74a43411a9b01

SHA1
786f5955d835d1d4c137ffed6a15fdfa6b5d5db0

SHA256
e262ddea8db55b52c2aee29444ef27b28f6a0f0da3e4c79ae823e8ad67ef1749

SHA512
142da2962e2a7897e1f96aa98d178fcc7f8729c76c090bf04b3a3a358cc75ac10933278fa78295eb649634471a31b16c399ebc417a3205dbc31583a2a3c9d78d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
03d25e2ee1cc4223112bd338075f9e13

SHA1
458469ef20872fdfb4ab179384d3b862b1a24e81

SHA256
2a91f9f3dca3d78d4658ecd2476f1551c896ed85c2ccaf4d393711ea573f6e2e

SHA512
369b86cab36fe93336500b095660af299f4923909412f2cf48e8c62fdc14af8e97c6fc81ba975194bfd475d8f4a66e5b5857fb576569385b6e3f9bd6b23cbcbf

Download Submit
memory/1728-7-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1728-8-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/1728-9-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1728-11-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1728-10-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/1728-19-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/1728-5-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1728-6-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/1728-4-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2652-26-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2652-27-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads