Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 11:35
Static task
static1
Behavioral task
behavioral1
Sample
1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
2.ps1
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
2.ps1
Resource
win10v2004-20241007-en
General
-
Target
1.ps1
-
Size
257KB
-
MD5
fa9de551f6fd38a4b04e3207e08e846c
-
SHA1
2ef8eb4e82ce9f52e5fa61e04fec1f9b92230903
-
SHA256
f8dae9c1f9c629a6811c6b2fc648b8f952a0331a1d5c04005808b4daeeae93fb
-
SHA512
ed8024a8279f3ac1a4d4b3be7214b9ec0d429a7228ea126e298034c4952e0ce048f7c83d4e0aab0760701653a0a77aea82cd94ae5b59161cae811a93c212c3ce
-
SSDEEP
6144:JRQRmeIR/ENCsOFAjL3vTV8MG0NsPSSzQw6ACnfRFG5jS:zXiL7XvLw6Ak6W
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2776 pOwErshEll.exe 34 -
pid Process 2376 powershell.exe 2732 powershell.exe 2620 pOwErshEll.exe 1632 powershell.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk pOwErshEll.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\ reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll" reg.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} reg.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 560 reg.exe 1316 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2376 powershell.exe 2732 powershell.exe 2620 pOwErshEll.exe 1632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2620 pOwErshEll.exe Token: SeDebugPrivilege 1632 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2732 2376 powershell.exe 32 PID 2376 wrote to memory of 2732 2376 powershell.exe 32 PID 2376 wrote to memory of 2732 2376 powershell.exe 32 PID 2732 wrote to memory of 2936 2732 powershell.exe 33 PID 2732 wrote to memory of 2936 2732 powershell.exe 33 PID 2732 wrote to memory of 2936 2732 powershell.exe 33 PID 2620 wrote to memory of 2708 2620 pOwErshEll.exe 37 PID 2620 wrote to memory of 2708 2620 pOwErshEll.exe 37 PID 2620 wrote to memory of 2708 2620 pOwErshEll.exe 37 PID 2708 wrote to memory of 560 2708 cmd.exe 38 PID 2708 wrote to memory of 560 2708 cmd.exe 38 PID 2708 wrote to memory of 560 2708 cmd.exe 38 PID 2708 wrote to memory of 1316 2708 cmd.exe 39 PID 2708 wrote to memory of 1316 2708 cmd.exe 39 PID 2708 wrote to memory of 1316 2708 cmd.exe 39 PID 2708 wrote to memory of 1104 2708 cmd.exe 40 PID 2708 wrote to memory of 1104 2708 cmd.exe 40 PID 2708 wrote to memory of 1104 2708 cmd.exe 40 PID 1104 wrote to memory of 1632 1104 cmd.exe 41 PID 1104 wrote to memory of 1632 1104 cmd.exe 41 PID 1104 wrote to memory of 1632 1104 cmd.exe 41
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.vbs"3⤵PID:2936
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\pOwErshEll.exepOwErshEll -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.bat1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\cmd.execmd /c ""C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
PID:560
-
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Modifies registry class
- Modifies registry key
PID:1316
-
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\BOHRRCBYGXGIFDRSIXWFDC.ps1'"3⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\BOHRRCBYGXGIFDRSIXWFDC.ps1'"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
249KB
MD52a885e95eed0618751d77924d91343e8
SHA1569268f7fcb9e4106811fa961abc343c06ae31f2
SHA2567df6b8f4fd39e4503a96e5971a1d4a568f7e4d4ad789c8d822191a79f9453a6a
SHA5125c439ae8deedf7a3339920c540c0a1b4d04c603978844553184c3db9fda4550888f94bfe7df0a89a00261795900a78f902a8a06ce7db0305551d268d2cbe64dc
-
Filesize
693B
MD5fe1271b4137a989c4d9021e549a70d3d
SHA1b70151e479298f4d70392d6b51e21c36fddc4374
SHA256e1690ba66bce1265e73be22baf3b29ec96054f3a766698baac27202aede8abb6
SHA512e933cfd3a510035664b849080aa2c2e1c12918b024a0ffef772563b518bc911f8c9bdca224ded560678519198ebfd3e06e5515e4c4aecd3617dc4c199f626ad7
-
Filesize
3KB
MD5339453f9cb54562220aba7f8fcae040c
SHA1d868eefada015f4892a88e7205e09ddd9da647a4
SHA256f5b34b456329ccdeeca89791a6807d270e2d805af5b11a24bb6c227635453a45
SHA51275ae607f2bf4e677ef5a68882e6bae9aa3810044190191d008911dd1790f8a7f486f1ae686482d523b8e65bd2372451bebf63fe508c60a5afed74923e0e46b96
-
Filesize
1KB
MD54d123e5a4ac35d53aa15d7d577807309
SHA1d689facafa48e00f7882cc10cb8266e4c8359fc5
SHA256556c63a874e38c562ff8e252aa1b4718c62692058005e56b69e04670ecee3a11
SHA51206de0adae18cd2fcb8cebc4ec23fda28aa1b28d1a8c74d72bf7bb56ead29dc3736d486fbd3dd864a2c8b895a207a4c4f3f5cf1c1e7d825048a0a7d26d6106988
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD523e4e9b5d8f209bd4e2697e1a7fbe834
SHA17e9a5348dea78f6b3745427a175874b1e053f385
SHA256dd9dd0984d91e41c92cacb15303d13806f14a9a7db881381ce4f63f25ff95872
SHA5128ce2e177d304b96bb5af9636d738af8aed47d679eb045344572790bf66f958c5ba37c0f6676388ebe2fac4697774dbdd8af87e176fc4ae37ca32d102505b9d28
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5db8cafcbe0413b350e7b0bb0e1bc4a05
SHA11bb5b9c14685fc51bfcc085ed079dbe58f791c41
SHA256205e7686084c3209b6540dd942e52b1db3ea6490cb7a95e28bb877fd611bf001
SHA51232053d6588c9c209194054a6cb752fb3b7962a14c988341cba62ad07dd7d82b82e40320d8224e7e1d235aabc6a19f002eac84b5ac5d3889dc4492f68248e3650