ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb

General

Target

ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb.ps1
Size

2.1MB
MD5

f98a96a1061e03b2b06ce6092947351b
SHA1

60fb05ecf864e0c716473876b6bb47605dae047c
SHA256

ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb
SHA512

9395ae433da87e28cb6a9d9d16d5d814aa2b39d6d7b568d548c8705f673e001cfd3578e8b729c1c5b7d429049edb6609a502d949627ad28af34ba4065f675220
SSDEEP

6144:DcVzJb1d4aU/hQVBJ2A7Is2Csr1Y5mH9OdHUb3ngoq:O

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2148	powershell.exe
1956	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2148	powershell.exe
1956	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2760	2640	taskeng.exe	34
PID 2640 wrote to memory of 2760	2640	taskeng.exe	34
PID 2640 wrote to memory of 2760	2640	taskeng.exe	34
PID 2760 wrote to memory of 604	2760	WScript.exe	35
PID 2760 wrote to memory of 604	2760	WScript.exe	35
PID 2760 wrote to memory of 604	2760	WScript.exe	35
PID 604 wrote to memory of 1956	604	cmd.exe	37
PID 604 wrote to memory of 1956	604	cmd.exe	37
PID 604 wrote to memory of 1956	604	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ef894d940115b4382997954bf79c1c8272b24ee479efc93d1b0b649133a457cb.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\taskeng.exe
taskeng.exe {DF34B783-1465-4938-BF60-02F39F97A15D} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Public\roox.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\roox.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\roox.ps1'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2a5da77cd30018ec7a520f2dc50c1a4b

SHA1
20fd797afed3104c32b6de06eb0c3da2875fa809

SHA256
ecc8a325ab6ffaebf06a170c4e8d64405e629091795de46f134265845699123c

SHA512
6c06d4138204d2c3e4706c66e92c6949f8989834e4703e09cfd3efa27b3138155bc41dc0ab82756c43e2851ae8844bdf708a9b5518c7828b10c8c306d50d2cd9

Download Submit
C:\Users\Public\roox.bat

Filesize
189B

MD5
252132ac509819fd013a4f235964aa56

SHA1
c4b9f8acd8aa446c777c3adbc7b79f81bb1df490

SHA256
9018a2f6018b6948fc134490c3fb93c945f10d89652db7d8491a98790d001c1e

SHA512
1927902c952da4490368257545c13b1899c46e9f3b30b99da5b947b0ebde8411639f5e3a53b7e1c62707df6e7fe86d025b5e784b6c66fa103fe22e39df559327

Download Submit
C:\Users\Public\roox.ps1

Filesize
2.1MB

MD5
fa225e2185f1db6b6097273df65e3dc4

SHA1
5638bedfb96a6124cdf726dc051ba7828f6bef0e

SHA256
ac05a1ec83c7c36f77dec929781dd2dae7151e9ce00f0535f67fcdb92c4f81d9

SHA512
b5ea9d4c6ec1043c23196323e0ceb282dbb3ce3f6c4d7880b6061d381089be48bab0c4ad678f0ee88849e94e37973cf94851eba18945551c421babde5c494b99

Download Submit
C:\Users\Public\roox.vbs

Filesize
659B

MD5
d0e4524918bde99e070e852de31893ea

SHA1
ae662b541d2df77df3d3068f7e4fbb60320af469

SHA256
d50cfca93637af25dc6720ebf40d54eec874004776b6bc385d544561748c2ffc

SHA512
07a54d952346cb579e58f5578713bd564a79028b7453c33d4763ed13fbf918432b536d35a7be4a1967ec428e529fe88a9a5ae97ba903da455e6d97f79951e3aa

Download Submit
memory/1956-24-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1956-23-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2148-7-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-14-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-15-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-9-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-10-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-8-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-4-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

Filesize
4KB

Download
memory/2148-6-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2148-5-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing