f02820869fb4768c2e5e04f85168bde9222b11c3c575118296be5dfd6af07b3a

General

Target

airobuxgen.ps1
Size

2KB
MD5

3991073564f05900f8dcf9ea6d65893d
SHA1

18e1d0109180a84dad717943262b38c0d827a009
SHA256

f02820869fb4768c2e5e04f85168bde9222b11c3c575118296be5dfd6af07b3a
SHA512

f1341a552b9d72d150a34e15ee278dcc107e4aedc4773728b26cf0f0406cef51d823e7443d3ae2cd8bf4ecadfc1c18ebb00b6aa0d2f6a872022f9654a6d0dd3f

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2536	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\FakeMalware = "C:\\Windows\\System32\\malware.bat"	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\malware.bat	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2552	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2376	cmd.exe
3060	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3060	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2552	powershell.exe
2552	powershell.exe
2552	powershell.exe
2552	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2536	2552	powershell.exe	31
PID 2552 wrote to memory of 2536	2552	powershell.exe	31
PID 2552 wrote to memory of 2536	2552	powershell.exe	31
PID 2552 wrote to memory of 3004	2552	powershell.exe	32
PID 2552 wrote to memory of 3004	2552	powershell.exe	32
PID 2552 wrote to memory of 3004	2552	powershell.exe	32
PID 2552 wrote to memory of 2376	2552	powershell.exe	33
PID 2552 wrote to memory of 2376	2552	powershell.exe	33
PID 2552 wrote to memory of 2376	2552	powershell.exe	33
PID 2376 wrote to memory of 3060	2376	cmd.exe	34
PID 2376 wrote to memory of 3060	2376	cmd.exe	34
PID 2376 wrote to memory of 3060	2376	cmd.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\airobuxgen.ps1
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2536
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn MaliciousTask /tr C:\Windows\System32\malware.bat /sc onlogon /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3004
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c ping localhost -n 5 >nul & echo Injecting into process
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2552-4-0x000007FEF5C9E000-0x000007FEF5C9F000-memory.dmp

Filesize
4KB

Download
memory/2552-5-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2552-6-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2552-7-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-9-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-10-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-8-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-11-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-13-0x000007FEF59E0000-0x000007FEF637D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-14-0x000007FEF5C9E000-0x000007FEF5C9F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads