e20d63d82415c54f408d750f77b1442b4540e1e7eca70cc5e77fc06a093a1eec

General

Target

WRQDouwL.png.ps1
Size

304KB
MD5

803d84838415f3c36742821f70203a8f
SHA1

e3b4bc28676f9f1c2c71fff706d240e9557df75e
SHA256

e20d63d82415c54f408d750f77b1442b4540e1e7eca70cc5e77fc06a093a1eec
SHA512

e083ed91c0eb5316d12ba090f2c14ed8a01075ebbb25a47f1f30ef56bf9877556aebb9e12ea0d39ef7ff5fcfd98e43c6c4fdb828936264e5abe75f2620277000
SSDEEP

1536:xoXGg/lCHSnPiCqoUZRCHJt50IRNGTRwOs3iFXO57fEPmjwl3Fo5+w5vKBx9SG0W:fmmp

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2448	powershell.exe
1208	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe
1208	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exetaskeng.exewscript.EXE

description	pid	Process	procid_target
PID 2448 wrote to memory of 2212	2448	powershell.exe	31
PID 2448 wrote to memory of 2212	2448	powershell.exe	31
PID 2448 wrote to memory of 2212	2448	powershell.exe	31
PID 2448 wrote to memory of 2440	2448	powershell.exe	32
PID 2448 wrote to memory of 2440	2448	powershell.exe	32
PID 2448 wrote to memory of 2440	2448	powershell.exe	32
PID 1512 wrote to memory of 1328	1512	taskeng.exe	37
PID 1512 wrote to memory of 1328	1512	taskeng.exe	37
PID 1512 wrote to memory of 1328	1512	taskeng.exe	37
PID 1328 wrote to memory of 1208	1328	wscript.EXE	38
PID 1328 wrote to memory of 1208	1328	wscript.EXE	38
PID 1328 wrote to memory of 1208	1328	wscript.EXE	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WRQDouwL.png.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:2212
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /F /create /sc minute /mo 4 /TN "S0HLlICQiDY" /ST 07:00 /TR "wscript /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\HLlICQiDY\pkuriTKg.rock"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2440

C:\Windows\system32\taskeng.exe
taskeng.exe {AD22BF1A-524D-4E91-8327-AF599FC537BA} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\system32\wscript.EXE
  C:\Windows\system32\wscript.EXE /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\HLlICQiDY\pkuriTKg.rock
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file pkuriTKg.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1CMDU26K91TTNK1PYMMJ.temp

Filesize
7KB

MD5
1a829144164abf79689a93c828d8b951

SHA1
fd43946fec5b076b6fc580a9c6c2ce919610dcf9

SHA256
c59e68b94a418cfbcc99b5adf4e7d58948ed56b9bcba31233e27a7608efd9509

SHA512
4136cd4ecd101454bd936d77c902bf8eac4b6ac768d78fdd84a0635ad75757e56020c0a11790b835e4b6b762eedf696f8d5c58fc1f8e66be7d1a88b326e09dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
25ef21e8517b73ddf7f4929b64183c90

SHA1
e2c582ca1ae7e559c995bd7021bbca246e620e60

SHA256
f2a5325b83732b863f6639ed82e17e5d0da0a98d33b057a708bfb3d477a058d0

SHA512
b0db2028138bb245e65212c0d0226e9691cd69d8248a57872ab9f4420bb4d7c9ec4f48eded517fa33a331702fb97b9fe35d266b6604a532729315e3563e691b5

Download Submit
\??\c:\users\Admin\AppData\Roaming\HLlICQiDY\pkuriTKg.rock

Filesize
930B

MD5
66ce7ee46668369006d6dc773799218a

SHA1
61023bb4658deb02ed9464b1d0bcb524c244094d

SHA256
22f7a97e06f275105ad57dc50fa86d6697bfc98d3f031eeb6cbefdd3b3c74cb8

SHA512
b72e2ecd3f5e13153090e368e2d3292055d16db40ab6694e3570db5829586dc1e76faf894b1d592f4feed3edd9effbbcfcea6a942daf493e486d6f9f3c2304b0

Download Submit
memory/1208-23-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1208-22-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2448-7-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-9-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-11-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-15-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-10-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-8-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2448-4-0x000007FEF5A1E000-0x000007FEF5A1F000-memory.dmp

Filesize
4KB

Download
memory/2448-6-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2448-5-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads