27be11fa92a078991c195850e10e1acfac1bd78f860cb803fffe7c9622227983

General

Target

YQpjoXnBJr/WRQDouwL.png.ps1
Size

304KB
MD5

803d84838415f3c36742821f70203a8f
SHA1

e3b4bc28676f9f1c2c71fff706d240e9557df75e
SHA256

e20d63d82415c54f408d750f77b1442b4540e1e7eca70cc5e77fc06a093a1eec
SHA512

e083ed91c0eb5316d12ba090f2c14ed8a01075ebbb25a47f1f30ef56bf9877556aebb9e12ea0d39ef7ff5fcfd98e43c6c4fdb828936264e5abe75f2620277000
SSDEEP

1536:xoXGg/lCHSnPiCqoUZRCHJt50IRNGTRwOs3iFXO57fEPmjwl3Fo5+w5vKBx9SG0W:fmmp

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
1868	powershell.exe
1440	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe
1440	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exetaskeng.exewscript.EXE

description	pid	Process	procid_target
PID 1868 wrote to memory of 1256	1868	powershell.exe	31
PID 1868 wrote to memory of 1256	1868	powershell.exe	31
PID 1868 wrote to memory of 1256	1868	powershell.exe	31
PID 1868 wrote to memory of 2192	1868	powershell.exe	32
PID 1868 wrote to memory of 2192	1868	powershell.exe	32
PID 1868 wrote to memory of 2192	1868	powershell.exe	32
PID 1540 wrote to memory of 1296	1540	taskeng.exe	37
PID 1540 wrote to memory of 1296	1540	taskeng.exe	37
PID 1540 wrote to memory of 1296	1540	taskeng.exe	37
PID 1296 wrote to memory of 1440	1296	wscript.EXE	38
PID 1296 wrote to memory of 1440	1296	wscript.EXE	38
PID 1296 wrote to memory of 1440	1296	wscript.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\YQpjoXnBJr\WRQDouwL.png.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:1256
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /F /create /sc minute /mo 4 /TN "S0VbakBTUpq" /ST 07:00 /TR "wscript /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\VbakBTUpq\shqVGnPC.rock"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2192

C:\Windows\system32\taskeng.exe
taskeng.exe {44CE039F-5374-4F27-9BED-B7B9608C5476} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\VbakBTUpq\shqVGnPC.rock
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file shqVGnPC.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d2cfc3695dbaa8cc46ff9a186d84b06

SHA1
fe71eaf3d0424e58734e96357b9cd216887ae8e2

SHA256
d5142c19cd08e221f831bb6dd4c0aff32e7613f475c2e9069a380210ad0ebd94

SHA512
30f0b9efd439062b8a0b7df5aeb1a9f51f39b8c4bc6f25847036a72f4911333eb22ee7de10e601a3876de9468d668f410b5545e5018a0dba30c85e0e4d871c28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DDQ977SNWBS5RYXJHZPS.temp

Filesize
7KB

MD5
2f6d6e3fae3d019bcc3c6e974f8a3e13

SHA1
5375f93a3d7529d531b348d2daece14172d4fa2c

SHA256
5c7d78ac2a971e5ec7d72a137ae36a7fbed55704a8eb50753656653de6b58bd6

SHA512
b1e346f8200b8f71497a6fe5f1b82a96c46f789d46c33f0af117e48804027683c6a9eeecc7e54036f1458b7499790ec1286f367fd2e6d93891a52ae29080b81e

Download Submit
\??\c:\users\Admin\AppData\Roaming\VbakBTUpq\shqVGnPC.rock

Filesize
930B

MD5
f218d9342205ba79307cf297bc28d05f

SHA1
45bd3f9c141d4776a2a3968f543b38e359dba570

SHA256
095cc135ff5238a4f0fa7b21344ff8187559da82409a850075bec0e251342737

SHA512
2294b692b875e824ac41a22c2cead7175f87afb434224e116f7f30f861b384351015b5a97ed697ba4368acbdbcf37bc871c9959afc56430c76265c7aef929f32

Download Submit
memory/1440-20-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1440-21-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/1868-4-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

Filesize
4KB

Download
memory/1868-5-0x000000001B840000-0x000000001BB22000-memory.dmp

Filesize
2.9MB

Download
memory/1868-6-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1868-7-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/1868-8-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/1868-9-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download
memory/1868-13-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads