db1b59a6777f2d0e813317be50541ff20b72dd82711feb6f73c875e58a37343b

General

Target

scr1ipt.ps1
Size

7KB
MD5

c44d7216c3cc62db69cbe60ac2e67a1c
SHA1

3a7aedb6c1f4d072c4656dbd49317fe5b38dcc12
SHA256

db1b59a6777f2d0e813317be50541ff20b72dd82711feb6f73c875e58a37343b
SHA512

892cc044bab84a48a953f8a46a55247c12bfb3b34774e106ae4632b3bc7e6f63ec88299c3a685d46c64f49c497a261057acc4184bf3a4d9487fd0e7d2817456d
SSDEEP

192:7qFeaF0diqqeaYzkIJm/5Z0dK7ZhWz7Xhbi9pdM3:79QV83YIcRZ3ZhSGQ

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	3080	powershell.exe
10	3080	powershell.exe
11	3080	powershell.exe
12	3080	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
388	hv.exe
4868	hv.exe

Loads dropped DLL 3 IoCs

pid	Process
388	hv.exe
4868	hv.exe
1520	0x21.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4868 set thread context of 4024	4868	hv.exe	84

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3080	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3080	powershell.exe
3080	powershell.exe
388	hv.exe
4868	hv.exe
4868	hv.exe
4024	netsh.exe
4024	netsh.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4868	hv.exe
4024	netsh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
388	hv.exe
4868	hv.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 388	3080	powershell.exe	82
PID 3080 wrote to memory of 388	3080	powershell.exe	82
PID 3080 wrote to memory of 388	3080	powershell.exe	82
PID 388 wrote to memory of 4868	388	hv.exe	83
PID 388 wrote to memory of 4868	388	hv.exe	83
PID 388 wrote to memory of 4868	388	hv.exe	83
PID 4868 wrote to memory of 4024	4868	hv.exe	84
PID 4868 wrote to memory of 4024	4868	hv.exe	84
PID 4868 wrote to memory of 4024	4868	hv.exe	84
PID 4868 wrote to memory of 4024	4868	hv.exe	84
PID 4024 wrote to memory of 1520	4024	netsh.exe	86
PID 4024 wrote to memory of 1520	4024	netsh.exe	86
PID 4024 wrote to memory of 1520	4024	netsh.exe	86
PID 4024 wrote to memory of 1520	4024	netsh.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\scr1ipt.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\pQG2mxvi\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\pQG2mxvi\hv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe
    C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Users\Admin\AppData\Local\Temp\0x21.pif
        
        C:\Users\Admin\AppData\Local\Temp\0x21.pif
        5⤵
        Loads dropped DLL
        
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0x21.pif

Filesize
76KB

MD5
f43c6b629baaaaee1e7fe095a8821631

SHA1
f0e4b84bb1fa6ba985e281f3afc9642afca168b5

SHA256
4196f6776110e75a9670fb5843f373e90e88c0826ead45a30e9578221ff44ae3

SHA512
2b475850705fa37dd0c1b093d31ccce48ffdbcc614215ffb304070b4f31e16ca651d4569af39b36482c848751f1e31b7fd647bd23245718a0a1e877a6417878a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9444ff2b

Filesize
1.1MB

MD5
da3f6fedc380952fa07a401a1ddb887e

SHA1
8846cd0f4b2ce11e6d05a9e5d89f1f2e52d6eced

SHA256
4709f93d6942e16c3bf03297389856ca4f0429d2a51d1a8ade8f5683586ed6e6

SHA512
76f98b7de1b09db528d286ecc2b78fe20edce3c00b155000c519acbaa5c225c92d6ce960a7ed83fb5b70b437e85fdcb329ec026328dee2b92b3efd1c02b6a91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3vpxjuv.or2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQG2mxvi\hv.exe

Filesize
8.7MB

MD5
480f8cf600f5509595b8418c6534caf2

SHA1
dc13258ebb83bdf956523d751f67e29d6e4cf77e

SHA256
6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2

SHA512
f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQG2mxvi\iepdf32.dll

Filesize
4.3MB

MD5
f3f6876d132eb277842e31ddc42aa7fa

SHA1
9c167a2854ed106b74dff55a30bdefc55b140e9a

SHA256
4ba2ddde8a4549d08bfe4441643aa626e84d7653b8ddc6ed61823e78aeb3cdf1

SHA512
38b86c745945b0f97461542f89b2570210ddc3fcfeabfe2243a3b861dd80be6641e4b4181956d73926b7926d7c460db8a908ccb912c5209003ee24427aa135f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQG2mxvi\rhombohedron.ai

Filesize
59KB

MD5
674dfd74a1bef081bf0da83f893138e5

SHA1
2a254cc02fea4c55bbc3133b99a9e2fd03082ae7

SHA256
67ff95298e395543ea0c9eeec6bfff81688df379bec578aa31c52d214b385180

SHA512
0b2bfbe287a037d46d881a00638a3c272197cf3537bc74169c07c7721cda2bf94927268bfd6cb965ad56e1ac98e3466d809cbc67f2e4d971dd0d7da9568a4cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQG2mxvi\shovelnose.deb

Filesize
827KB

MD5
90b47672d8134f8cc464d83a5cde8d34

SHA1
69567e6a2dd5569b8cd2876a275f5d9a2ad8743f

SHA256
cc38b5cb522fdf8d2fe5e85c50d72e1b8ac39d36deb157d4bffdda7970c5ba8b

SHA512
7dbeb8d4a5674c088fa904a9fdcddf9cb84d41b2d2c887ba38cfcdd1ac30cf4cd8ae28bc33fc3ee51139e78645f7fb580dfaf57e939c4e144b79d507a1d1d90b

Download Submit
memory/388-47-0x0000000075E80000-0x0000000075EE4000-memory.dmp

Filesize
400KB

Download
memory/388-49-0x00007FFC79140000-0x00007FFC79349000-memory.dmp

Filesize
2.0MB

Download
memory/388-45-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/388-57-0x00000000007E0000-0x00000000010B6000-memory.dmp

Filesize
8.8MB

Download
memory/1520-73-0x00007FFC79140000-0x00007FFC79349000-memory.dmp

Filesize
2.0MB

Download
memory/1520-74-0x00000000003E0000-0x0000000000438000-memory.dmp

Filesize
352KB

Download
memory/1520-75-0x00000000003E0000-0x0000000000438000-memory.dmp

Filesize
352KB

Download
memory/3080-16-0x000001F74BE50000-0x000001F74C5F6000-memory.dmp

Filesize
7.6MB

Download
memory/3080-44-0x00007FFC57DF0000-0x00007FFC588B2000-memory.dmp

Filesize
10.8MB

Download
memory/3080-38-0x00007FFC57DF3000-0x00007FFC57DF5000-memory.dmp

Filesize
8KB

Download
memory/3080-19-0x000001F74AA20000-0x000001F74AA2A000-memory.dmp

Filesize
40KB

Download
memory/3080-48-0x00007FFC57DF0000-0x00007FFC588B2000-memory.dmp

Filesize
10.8MB

Download
memory/3080-18-0x000001F74AA40000-0x000001F74AA52000-memory.dmp

Filesize
72KB

Download
memory/3080-0-0x00007FFC57DF3000-0x00007FFC57DF5000-memory.dmp

Filesize
8KB

Download
memory/3080-14-0x000001F74B170000-0x000001F74B698000-memory.dmp

Filesize
5.2MB

Download
memory/3080-9-0x00007FFC57DF0000-0x00007FFC588B2000-memory.dmp

Filesize
10.8MB

Download
memory/3080-10-0x000001F74A540000-0x000001F74A562000-memory.dmp

Filesize
136KB

Download
memory/3080-11-0x00007FFC57DF0000-0x00007FFC588B2000-memory.dmp

Filesize
10.8MB

Download
memory/3080-13-0x000001F74AA70000-0x000001F74AC32000-memory.dmp

Filesize
1.8MB

Download
memory/3080-12-0x00007FFC57DF0000-0x00007FFC588B2000-memory.dmp

Filesize
10.8MB

Download
memory/4024-68-0x00007FFC79140000-0x00007FFC79349000-memory.dmp

Filesize
2.0MB

Download
memory/4868-66-0x0000000000240000-0x0000000000B16000-memory.dmp

Filesize
8.8MB

Download
memory/4868-64-0x0000000075E80000-0x0000000075EE4000-memory.dmp

Filesize
400KB

Download
memory/4868-63-0x00007FFC79140000-0x00007FFC79349000-memory.dmp

Filesize
2.0MB

Download
memory/4868-62-0x0000000075E80000-0x0000000075EE4000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing