ec7d6975587d8dd4effb5727882b1fbb867766d4df73ec304c88d27362ce6ace

General

Target

2.ps1
Size

1002KB
MD5

53c4c7466cebb3357a4bf5fdde6e03bd
SHA1

3ae57e66c6651b2c35b873db5de86b87ccc969ad
SHA256

ec7d6975587d8dd4effb5727882b1fbb867766d4df73ec304c88d27362ce6ace
SHA512

aa7a49bde2e30748853b66c772d5bc72372699d52a0d4806d373e870eaa0488ba6ff7b92669e15c9b0180f4cfebd45e698a75b514512b6eddb338dfaf2d2a75e
SSDEEP

24576:TawjBUo3v/AOhx415r2X0Kin4clpSeuoZ+tF0USjpMmaXBxwP0oOGAlLRqkbx2yY:e

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2780	powershell.exe
1280	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2780	powershell.exe
1280	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1036	1820	taskeng.exe	33
PID 1820 wrote to memory of 1036	1820	taskeng.exe	33
PID 1820 wrote to memory of 1036	1820	taskeng.exe	33
PID 1036 wrote to memory of 2556	1036	WScript.exe	34
PID 1036 wrote to memory of 2556	1036	WScript.exe	34
PID 1036 wrote to memory of 2556	1036	WScript.exe	34
PID 2556 wrote to memory of 1280	2556	cmd.exe	36
PID 2556 wrote to memory of 1280	2556	cmd.exe	36
PID 2556 wrote to memory of 1280	2556	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\taskeng.exe
taskeng.exe {7785D090-ED45-438F-8CFD-6CA806C7D389} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Public\wingro8.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\wingro8.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\wingro8.ps1'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
937e050be687f9a1e0bdbaacf6d56f2e

SHA1
1383c504a925e0fc9cd6c42eae7d76eb58ae7c73

SHA256
1f737b83165a8fab9b3da8c2bfb2da757210c789e32e5e45a1776006a76ecf32

SHA512
904d8939c27f7b8667e14c2f35cc55ca104fdd1cdaea17d3e6630198fe89a6bc217d4a003c3013905717d8765149070c352c46974e947cd29ca2ca33e33da6c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K85XBX0P0VO3I3A8GQ38.temp

Filesize
7KB

MD5
d329c6aa1a5b9fb614224d6314fb4da7

SHA1
4f6520ae47aad6c66f8f18ba9d4a862a457fe139

SHA256
5ea7cb879a0e5fb9115a775b5d23991eec5baf93ca3510e62817039395e0d689

SHA512
c78557929f32dc390664a48ad5b6fe03a8a5e71dd44a646de158f2b9ab3bfccfeede9f3b5b5ed57519d52dcc4b2086f2672eb9e3eb069bcacfbcc43e53fe5f4f

Download Submit
C:\Users\Public\wingro8.bat

Filesize
204B

MD5
9ae3fd9aa024c8c635043f25e14e4582

SHA1
346bdf6d3fb90733b29e4b0679eed419d2337d8a

SHA256
08eb7706a9e1efa8a68e0174bc5d62fd48282ffafc561819c3bc87784a80e73f

SHA512
b4a87e683517cdfc1df43a08b238844bac0319be234ccfddb1ba0c55bc321d5f3b592a7ecd795370d735c629ff2122d9a6405c181a16128606ba4b26c1f67af2

Download Submit
C:\Users\Public\wingro8.ps1

Filesize
1000KB

MD5
a7c519fa08aa6c0e88292f403244958d

SHA1
66aa43c3d645041957e7da8ad263c6c8ac21875f

SHA256
6b69b5238db51c77517e5ad018160b9d1be9b9d6af217033b4cf0648e4dfe1fd

SHA512
f621dc60aed94d8571a75b9f3ef83831de09fa1baebd21e12d476c67315745b6974bd76c163c623ee765f7e181da4291aa298574397782020e0b4585911fb1bd

Download Submit
C:\Users\Public\wingro8.vbs

Filesize
689B

MD5
aeee1749af12130d3f8c69f286d82904

SHA1
1199175f300c2249c1e6fedb28efa44acffa88b1

SHA256
40dd27ce5d1b906557495317c0c0164cce12baab5dae79028b1539a65a9caf2b

SHA512
f8e944b7de50ef6200606f334b82216ea177bea391b3464bacda0db44395a346994cdb26f1bba4c83e6044f88b76cad87d89179ced0ea09114d15aeab49fffec

Download Submit
memory/1280-24-0x0000000002EB0000-0x0000000002EE4000-memory.dmp

Filesize
208KB

Download
memory/1280-22-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1280-21-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/2780-7-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2780-13-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2780-9-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2780-8-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2780-4-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp

Filesize
4KB

Download
memory/2780-6-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2780-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing