f23362d0bd13b2226f2b422371fef0cf838e1f8aafeb010f4768493ba1053d22

General

Target

new.ps1
Size

242KB
MD5

aa0d92ff6d6a1d18f6149f6d0ad03139
SHA1

6a33134bf530a61b764bf2287baf8fd0aea603ab
SHA256

f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f
SHA512

4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3
SSDEEP

3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG

Score

6^/10

execution persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\aeZaeCPwTj = "C:\\Users\\Admin\\AppData\\Roaming\\sehKCN.vbs"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2012 powershell.exe
2904 powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2788 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2012 powershell.exe
2012 powershell.exe
2012 powershell.exe
2904 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2012 powershell.exe
Token: SeDebugPrivilege 2904 powershell.exe

pid	process
2012	powershell.exe
2904	powershell.exe

pid	process
2788	reg.exe

pid	process
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2904	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2012 wrote to memory of 2648	2012	powershell.exe	WScript.exe
PID 2012 wrote to memory of 2648	2012	powershell.exe	WScript.exe
PID 2012 wrote to memory of 2648	2012	powershell.exe	WScript.exe
PID 2012 wrote to memory of 2788	2012	powershell.exe	reg.exe
PID 2012 wrote to memory of 2788	2012	powershell.exe	reg.exe
PID 2012 wrote to memory of 2788	2012	powershell.exe	reg.exe
PID 2648 wrote to memory of 2904	2648	WScript.exe	powershell.exe
PID 2648 wrote to memory of 2904	2648	WScript.exe	powershell.exe
PID 2648 wrote to memory of 2904	2648	WScript.exe	powershell.exe
PID 2904 wrote to memory of 2308	2904	powershell.exe	csc.exe
PID 2904 wrote to memory of 2308	2904	powershell.exe	csc.exe
PID 2904 wrote to memory of 2308	2904	powershell.exe	csc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\new.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sehKCN.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exEc byPaSS -fiLe C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nnhhmkfo.cmdline"
4⤵
PID:2308

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" Add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v aeZaeCPwTj /t REG_SZ /d C:\Users\Admin\AppData\Roaming\sehKCN.vbs /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:2788

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
e4455bcafdffacde3e5a96ea64b7d9fd

SHA1
5ca676d0f3e64b7fc388736f4fe8486521c141d8

SHA256
490af3c78af5e2ac7ed4f586b6e3db1292938bdd1679edf1b9f042d96c977771

SHA512
a19a49ee8b6c8d2ad52b6b8cdf747a99d67171d5672a4e9b90b8e2ea061223b433ed0c831c356904872bf5cabc189d2edf37778372d868fb3b9d504c35a50a6f

Download Submit
C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
Filesize
179KB

MD5
4f7d1b610c3154a148e0c3787cd8ec58

SHA1
81b7e5ea9dfcc05890f4e1574c8496a882291b86

SHA256
ac2216db81d8b78950a74601205b638d8c9076e11903d13efe82cfd7fd126845

SHA512
2b87fcb60288f3ff363ae7e054a3ab1be5b0f2a57a8e40996b94c9a934f962d14a1af1ca2f681a62fb08cf2dbb4bd9f69c2284322fbc185734b672478d89e68a

Download Submit
C:\Users\Admin\AppData\Roaming\sehKCN.vbs
Filesize
2KB

MD5
e5671d6bb4b7c012a32158fadea3c560

SHA1
e05b3e5897ee5c521ac5f71210d203b146f8dc52

SHA256
780df088a515769d8880fec4b674886aaa6969b923915dd20de59ac15fd5dc45

SHA512
82965d196eae0be74a2b1a408ced7daa198d634cb35b5a4fe746eb8fdc5bb52d1134509bb4ab69a2cf8e6f8dd8b195fb07bca183ce260b0b492e89ebc3f997f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nnhhmkfo.0.cs
Filesize
50KB

MD5
37f63f0f16b64ce7d236cd71617be27a

SHA1
da34f42ade8f9a59819daf8f7aee8641ac759d9f

SHA256
2df77f6e41d5554787155f07d45751ab3b4a62f49c350197cafdd3f3159beed3

SHA512
3d6fec1c6269cdd0d9ca8ca8ba9a77fdf8b26d5cd3a936c578f3e7e7eb14efd0becc3aa64d4429deab03f03eeb07f6830d2f8d99e2dd6f330f62884149b0c518

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nnhhmkfo.cmdline
Filesize
309B

MD5
7ce9baa4751c2261bd31fb2e8f081edc

SHA1
c7e55850c46baf1f8b80fa1da5788542b525dfd8

SHA256
34055c5f4a8f92c5c359d4f0184b98ef4485bdf5c7e6499fce49e92b8ab23c49

SHA512
0f12c6b466c855b66f8f41e8eb62461bd50c8b56b5f6c3735fcb04f44358ceb45ff8644323bad5cddde98d3d65934c0188fb2b23174a790faf28693d6e64d864

Download Submit
memory/2012-10-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2012-4-0x000007FEF52EE000-0x000007FEF52EF000-memory.dmp

Filesize
4KB

Download
memory/2012-15-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2012-9-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2012-17-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2012-8-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2012-7-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2012-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2012-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2904-23-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads