5cc8c3c4d011cdbe7306dfb8ba52b14909ed06db2c1a465c31cc59e6f532cb22

General

Target

Psloramyra.ps1
Size

2.1MB
MD5

032ea6f45fdd2fa1bd9b6cb5f425dc54
SHA1

aaac83baf4a939a4c3b9ff5a16dbcb472cab9592
SHA256

5cc8c3c4d011cdbe7306dfb8ba52b14909ed06db2c1a465c31cc59e6f532cb22
SHA512

222ca7941b7df2d2e4d7310a557cc6cdb43c33368d9632610b428b1a117a5c272504dae677216b678e4c65887f779f60078dd6096a1280aa834b1a3fcb97c379
SSDEEP

6144:ccVzJb1d4aU/hQVBJ2A7Is2Csr1l5mH9OdHUb3ngo1:v

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2664 powershell.exe
1676 powershell.exe
2116 powershell.exe

pid	process
2664	powershell.exe
1676	powershell.exe
2116	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2664 powershell.exe
1676 powershell.exe
2116 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2664 powershell.exe
Token: SeDebugPrivilege 1676 powershell.exe
Token: SeDebugPrivilege 2116 powershell.exe

pid	process
2664	powershell.exe
1676	powershell.exe
2116	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

taskeng.exeWScript.execmd.exeWScript.execmd.exe

description	pid	process	target process
PID 588 wrote to memory of 2876	588	taskeng.exe	WScript.exe
PID 588 wrote to memory of 2876	588	taskeng.exe	WScript.exe
PID 588 wrote to memory of 2876	588	taskeng.exe	WScript.exe
PID 2876 wrote to memory of 604	2876	WScript.exe	cmd.exe
PID 2876 wrote to memory of 604	2876	WScript.exe	cmd.exe
PID 2876 wrote to memory of 604	2876	WScript.exe	cmd.exe
PID 604 wrote to memory of 1676	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 1676	604	cmd.exe	powershell.exe
PID 604 wrote to memory of 1676	604	cmd.exe	powershell.exe
PID 588 wrote to memory of 3028	588	taskeng.exe	WScript.exe
PID 588 wrote to memory of 3028	588	taskeng.exe	WScript.exe
PID 588 wrote to memory of 3028	588	taskeng.exe	WScript.exe
PID 3028 wrote to memory of 1688	3028	WScript.exe	cmd.exe
PID 3028 wrote to memory of 1688	3028	WScript.exe	cmd.exe
PID 3028 wrote to memory of 1688	3028	WScript.exe	cmd.exe
PID 1688 wrote to memory of 2116	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 2116	1688	cmd.exe	powershell.exe
PID 1688 wrote to memory of 2116	1688	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Psloramyra.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\taskeng.exe
taskeng.exe {C70AFC48-7DCE-4EAE-9BB1-FFE063A86288} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Public\roox.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\roox.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\roox.ps1'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Public\roox.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\roox.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\roox.ps1'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b991ca026d0984e20634fc2775bb9c49

SHA1
24794b80678b4547d22a747a41ab395243e4ffe0

SHA256
9ba561c55250e4f201f4ee5c1ae2101ddc252094184bf91c76e09930cf4d4b79

SHA512
5536683011246a1fe685d70ef1f172302da0797120b003b51290b3b61bdf7c3040b7a8f089b7b85096b3910d651bae83a60807e7d8501bc20dcfac0178be74e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WJUU76QFICERED15S7VM.temp

Filesize
7KB

MD5
1d095a6e1144a106a2ebe818da348f46

SHA1
bb46017d0e0ab591ff89cc388540cbbb162352ab

SHA256
17a6914ecda145b9d5e395f8ce4bbf88dbe0a475323a659f7428544d0180110f

SHA512
f479e12984f4f79cfa69f880d1b5b5cb12fd3733d57f7b9e7f25e088a980a0d15b7123c8cffe49ab60842f6bfece6d26e1548ad6fccb2525f09f110d8afb0790

Download Submit
C:\Users\Public\roox.bat

Filesize
195B

MD5
0344d401c7266a2bc6d19f5a2bc90040

SHA1
d3bf5a4b55b523429f3c7cb58ffa19504bececfc

SHA256
a3a38fb5090f5b9c951160d60d2fcd0e4488b3e72b1823fc17ef34a15fe9dab7

SHA512
59b448d02dadd2934abf88c40e25fec741724112e1320770b06df9b862643f2eba9cedee9d58244145fbece6d0d366380d6d2d6b56082a97649683ca10f9bc07

Download Submit
C:\Users\Public\roox.ps1

Filesize
2.1MB

MD5
9ba3e0c0ba321f160209023c4fdcc3d4

SHA1
55f876754d36ab08a3e8f0a47d39c48b8a84fb61

SHA256
a2fde94bdfe9e8d15478484c3de0314a73618f41591cbffca473708c66899e39

SHA512
cd551a87d48421748a9e8c90eeecbd48a185be5b7439e2d35ac994da07bc94ee77f48678b7f617423bb9356dabc20f62ec77be24ddbd60e34d0927fde350e650

Download Submit
C:\Users\Public\roox.vbs

Filesize
686B

MD5
a0a3c05080df4421295e559291304405

SHA1
286e02a003b7e26a381e41d2127ffb0ed371f5b4

SHA256
22889b8d447ea679e8b2fb27eca95d0f04056203c9214818758b0a21379ea323

SHA512
ee9971cda442f9dd305e0810babd0a5f94589a966b2a4f10421b341d6e7914fed3f2a12821dc56d338f7ec5ba9a38830727d0e17fd18257e45ebabd7612e99b4

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1676-23-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1676-22-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-8-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-13-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-7-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-9-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

Filesize
9.6MB

Download
memory/2664-4-0x000007FEF577E000-0x000007FEF577F000-memory.dmp

Filesize
4KB

Download
memory/2664-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2664-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing