27be11fa92a078991c195850e10e1acfac1bd78f860cb803fffe7c9622227983

General

Target

YQpjoXnBJr/WRQDouwL.ps1
Size

150KB
MD5

8c16f434c6368c0a59d01f82dfdae4c8
SHA1

9fb837536241866db25be8af035f47f24539bfd3
SHA256

f4faf31b67ed1262db67a8dee7014841e7197cce87e66a8faa270a97bc0e909d
SHA512

c86e56965559cacc2db25f5d0b86f99bc10fe91d1b698a63c183e4da700760ba8f7772612d036148cefa4e66459675b44e44fb95f8467a6c5af6b9f353c5b9c7
SSDEEP

3072:n0fsUhwCt/AO41upua+ZaGxMYb4QR3TjqjHnPg2pwQ5YV:n0fswwCto/1upua+ZaGCYb4QlT6HPTwT

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2580	powershell.exe
2476	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2580	powershell.exe
2580	powershell.exe
2580	powershell.exe
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exetaskeng.exewscript.EXE

description	pid	Process	procid_target
PID 2580 wrote to memory of 2068	2580	powershell.exe	30
PID 2580 wrote to memory of 2068	2580	powershell.exe	30
PID 2580 wrote to memory of 2068	2580	powershell.exe	30
PID 2580 wrote to memory of 2832	2580	powershell.exe	31
PID 2580 wrote to memory of 2832	2580	powershell.exe	31
PID 2580 wrote to memory of 2832	2580	powershell.exe	31
PID 2336 wrote to memory of 948	2336	taskeng.exe	35
PID 2336 wrote to memory of 948	2336	taskeng.exe	35
PID 2336 wrote to memory of 948	2336	taskeng.exe	35
PID 948 wrote to memory of 2476	948	wscript.EXE	36
PID 948 wrote to memory of 2476	948	wscript.EXE	36
PID 948 wrote to memory of 2476	948	wscript.EXE	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\YQpjoXnBJr\WRQDouwL.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:2068
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /F /create /sc minute /mo 4 /TN "S0FaxGsOziM" /ST 07:00 /TR "wscript /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\FaxGsOziM\WmDyRVOz.rock"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2832

C:\Windows\system32\taskeng.exe
taskeng.exe {66964827-35E0-42C8-A929-009B3180C58A} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\FaxGsOziM\WmDyRVOz.rock
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file WmDyRVOz.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9e1c026ff6cd661ad474d6c2408d000

SHA1
5edb37fcf63cc3daa8c0dc2c99392bcfb0bbedf2

SHA256
0560a11cf75595d5b0cc30bf4fa64267e6bbd950e8fbfbb5b478b6779f5d1607

SHA512
147ec1b68bd6b999280b4d645b1103e2aef8fdea21563c1c5588a07de2848215c5da1bc4701b8799bc9d5f11afc31bb0285f77799c3d413c80c52a93ea86fb59

Download Submit
\??\c:\users\Admin\AppData\Roaming\FaxGsOziM\WmDyRVOz.rock

Filesize
930B

MD5
687056c4b4a9f061b5e59ac7f86a6a9d

SHA1
7571f66c3a4ff88dd730efcf9f667d328aa2be80

SHA256
c0153cbe1f370b171d3042d48ee0db1a6c3695390547a0c8cca9273f95c8f0a6

SHA512
35798509cf530681cf10e0a870c846030ebe8b01851a7e5a5f67aaf2072952817d9b1aca2988bb76e1e3e6d931c51725ac39658800528d84cba76fd4e09e5fdf

Download Submit
memory/2476-23-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2476-22-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/2580-7-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-9-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-10-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-11-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-15-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-8-0x000007FEF5900000-0x000007FEF629D000-memory.dmp

Filesize
9.6MB

Download
memory/2580-4-0x000007FEF5BBE000-0x000007FEF5BBF000-memory.dmp

Filesize
4KB

Download
memory/2580-5-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/2580-6-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads