f23362d0bd13b2226f2b422371fef0cf838e1f8aafeb010f4768493ba1053d22

General

Target

new.ps1
Size

242KB
MD5

aa0d92ff6d6a1d18f6149f6d0ad03139
SHA1

6a33134bf530a61b764bf2287baf8fd0aea603ab
SHA256

f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f
SHA512

4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3
SSDEEP

3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG

Score

6^/10

execution persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\aeZaeCPwTj = "C:\\Users\\Admin\\AppData\\Roaming\\sehKCN.vbs"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2100 powershell.exe
2888 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2256 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2100 powershell.exe
2100 powershell.exe
2100 powershell.exe
2888 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2100 powershell.exe
Token: SeDebugPrivilege 2888 powershell.exe

pid	process
2100	powershell.exe
2888	powershell.exe

pid	process
2256	reg.exe

pid	process
2100	powershell.exe
2100	powershell.exe
2100	powershell.exe
2888	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2100 wrote to memory of 2288	2100	powershell.exe	WScript.exe
PID 2100 wrote to memory of 2288	2100	powershell.exe	WScript.exe
PID 2100 wrote to memory of 2288	2100	powershell.exe	WScript.exe
PID 2100 wrote to memory of 2256	2100	powershell.exe	reg.exe
PID 2100 wrote to memory of 2256	2100	powershell.exe	reg.exe
PID 2100 wrote to memory of 2256	2100	powershell.exe	reg.exe
PID 2288 wrote to memory of 2888	2288	WScript.exe	powershell.exe
PID 2288 wrote to memory of 2888	2288	WScript.exe	powershell.exe
PID 2288 wrote to memory of 2888	2288	WScript.exe	powershell.exe
PID 2888 wrote to memory of 2768	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 2768	2888	powershell.exe	csc.exe
PID 2888 wrote to memory of 2768	2888	powershell.exe	csc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\new.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sehKCN.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exEc byPaSS -fiLe C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\47nkjwe3.cmdline"
4⤵
PID:2768

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" Add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v aeZaeCPwTj /t REG_SZ /d C:\Users\Admin\AppData\Roaming\sehKCN.vbs /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:2256

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
181bcb51b9e3d327e04049b0b07fde86

SHA1
453859491de95d7bfc9ca992a1be73555b2fdadc

SHA256
289310d85590913af7b5e8a1dc27a7137b0fb279dd8007ab6399a77d9a76717a

SHA512
56cfbc04d4d9f5661378a310e6995d1960cf78ab7364d55c01379d26e58bee2b70cda760527623da5439e062b7acce3a73d07c7f79d47ee8e429afa35c79f16e

Download Submit
C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
Filesize
179KB

MD5
4f7d1b610c3154a148e0c3787cd8ec58

SHA1
81b7e5ea9dfcc05890f4e1574c8496a882291b86

SHA256
ac2216db81d8b78950a74601205b638d8c9076e11903d13efe82cfd7fd126845

SHA512
2b87fcb60288f3ff363ae7e054a3ab1be5b0f2a57a8e40996b94c9a934f962d14a1af1ca2f681a62fb08cf2dbb4bd9f69c2284322fbc185734b672478d89e68a

Download Submit
C:\Users\Admin\AppData\Roaming\sehKCN.vbs
Filesize
2KB

MD5
e5671d6bb4b7c012a32158fadea3c560

SHA1
e05b3e5897ee5c521ac5f71210d203b146f8dc52

SHA256
780df088a515769d8880fec4b674886aaa6969b923915dd20de59ac15fd5dc45

SHA512
82965d196eae0be74a2b1a408ced7daa198d634cb35b5a4fe746eb8fdc5bb52d1134509bb4ab69a2cf8e6f8dd8b195fb07bca183ce260b0b492e89ebc3f997f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\47nkjwe3.0.cs
Filesize
50KB

MD5
37f63f0f16b64ce7d236cd71617be27a

SHA1
da34f42ade8f9a59819daf8f7aee8641ac759d9f

SHA256
2df77f6e41d5554787155f07d45751ab3b4a62f49c350197cafdd3f3159beed3

SHA512
3d6fec1c6269cdd0d9ca8ca8ba9a77fdf8b26d5cd3a936c578f3e7e7eb14efd0becc3aa64d4429deab03f03eeb07f6830d2f8d99e2dd6f330f62884149b0c518

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\47nkjwe3.cmdline
Filesize
309B

MD5
a205dab85c00b68efad22905f3c9341e

SHA1
93ec5942c1d933ff3ba209dc1bf521ba6a2dab97

SHA256
5565b105ba02ca152b15e4a7ab03fd03018aa6bdcb4410666c16f519f056229f

SHA512
7bbab36f187ad65d655569ce5d0884fbdf8928badd13954c4d904312cabfdb33830366e86b56cd2cbbdbf67dff17d000acce667c2ffb9c0f1cf078ea4e53c2ed

Download Submit
memory/2100-7-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-12-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-9-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-16-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-8-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2100-4-0x000007FEF59BE000-0x000007FEF59BF000-memory.dmp

Filesize
4KB

Download
memory/2100-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2100-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads