Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 11:35

General

  • Target

    1.ps1

  • Size

    257KB

  • MD5

    fa9de551f6fd38a4b04e3207e08e846c

  • SHA1

    2ef8eb4e82ce9f52e5fa61e04fec1f9b92230903

  • SHA256

    f8dae9c1f9c629a6811c6b2fc648b8f952a0331a1d5c04005808b4daeeae93fb

  • SHA512

    ed8024a8279f3ac1a4d4b3be7214b9ec0d429a7228ea126e298034c4952e0ce048f7c83d4e0aab0760701653a0a77aea82cd94ae5b59161cae811a93c212c3ce

  • SSDEEP

    6144:JRQRmeIR/ENCsOFAjL3vTV8MG0NsPSSzQw6ACnfRFG5jS:zXiL7XvLw6Ak6W

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.ps1'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.vbs"
        3⤵
          PID:2936
    • C:\Windows\System32\WindowsPowerShell\v1.0\pOwErshEll.exe
      pOwErshEll -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.bat
      1⤵
      • Process spawned unexpected child process
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:560
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:1316
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\BOHRRCBYGXGIFDRSIXWFDC.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1104
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\BOHRRCBYGXGIFDRSIXWFDC.ps1'"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\BOHRRCBYGXGIFDRSIXWFDC.ps1

      Filesize

      249KB

      MD5

      2a885e95eed0618751d77924d91343e8

      SHA1

      569268f7fcb9e4106811fa961abc343c06ae31f2

      SHA256

      7df6b8f4fd39e4503a96e5971a1d4a568f7e4d4ad789c8d822191a79f9453a6a

      SHA512

      5c439ae8deedf7a3339920c540c0a1b4d04c603978844553184c3db9fda4550888f94bfe7df0a89a00261795900a78f902a8a06ce7db0305551d268d2cbe64dc

    • C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.bat

      Filesize

      693B

      MD5

      fe1271b4137a989c4d9021e549a70d3d

      SHA1

      b70151e479298f4d70392d6b51e21c36fddc4374

      SHA256

      e1690ba66bce1265e73be22baf3b29ec96054f3a766698baac27202aede8abb6

      SHA512

      e933cfd3a510035664b849080aa2c2e1c12918b024a0ffef772563b518bc911f8c9bdca224ded560678519198ebfd3e06e5515e4c4aecd3617dc4c199f626ad7

    • C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.ps1

      Filesize

      3KB

      MD5

      339453f9cb54562220aba7f8fcae040c

      SHA1

      d868eefada015f4892a88e7205e09ddd9da647a4

      SHA256

      f5b34b456329ccdeeca89791a6807d270e2d805af5b11a24bb6c227635453a45

      SHA512

      75ae607f2bf4e677ef5a68882e6bae9aa3810044190191d008911dd1790f8a7f486f1ae686482d523b8e65bd2372451bebf63fe508c60a5afed74923e0e46b96

    • C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.vbs

      Filesize

      1KB

      MD5

      4d123e5a4ac35d53aa15d7d577807309

      SHA1

      d689facafa48e00f7882cc10cb8266e4c8359fc5

      SHA256

      556c63a874e38c562ff8e252aa1b4718c62692058005e56b69e04670ecee3a11

      SHA512

      06de0adae18cd2fcb8cebc4ec23fda28aa1b28d1a8c74d72bf7bb56ead29dc3736d486fbd3dd864a2c8b895a207a4c4f3f5cf1c1e7d825048a0a7d26d6106988

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      23e4e9b5d8f209bd4e2697e1a7fbe834

      SHA1

      7e9a5348dea78f6b3745427a175874b1e053f385

      SHA256

      dd9dd0984d91e41c92cacb15303d13806f14a9a7db881381ce4f63f25ff95872

      SHA512

      8ce2e177d304b96bb5af9636d738af8aed47d679eb045344572790bf66f958c5ba37c0f6676388ebe2fac4697774dbdd8af87e176fc4ae37ca32d102505b9d28

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      db8cafcbe0413b350e7b0bb0e1bc4a05

      SHA1

      1bb5b9c14685fc51bfcc085ed079dbe58f791c41

      SHA256

      205e7686084c3209b6540dd942e52b1db3ea6490cb7a95e28bb877fd611bf001

      SHA512

      32053d6588c9c209194054a6cb752fb3b7962a14c988341cba62ad07dd7d82b82e40320d8224e7e1d235aabc6a19f002eac84b5ac5d3889dc4492f68248e3650

    • memory/2376-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2376-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

      Filesize

      4KB

    • memory/2376-14-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2376-15-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

      Filesize

      4KB

    • memory/2376-16-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2376-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2376-5-0x000000001B730000-0x000000001BA12000-memory.dmp

      Filesize

      2.9MB

    • memory/2376-11-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2376-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2376-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2376-36-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2376-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

      Filesize

      32KB

    • memory/2732-33-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB

    • memory/2732-24-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

      Filesize

      9.6MB