69a6d16e563e335bad162c6750c0ce1807bb96ce12e54bc43af19f6458a0a791

General

Target

dollar1.ps1
Size

510KB
MD5

c42d82bfd897477aad6221016be9d6fa
SHA1

af3505c7bda32a32cff69f3afc4c676856d377cc
SHA256

1308763f21e50778f78dd3fd05b61367341cb52c7ca1b411a0d18610b20c9ede
SHA512

f1262f4c95aa5a853ce1f4d1d069c76d6f438c9ba2839cf093472531002c7886a619252be1769d5ebd725e35224e3c2f50bc8ade603ba98216b7ca508894083e
SSDEEP

6144:BHJz/Da4narEcyu0c2slSDp6SGxQ9KH+d2QSQ9OSk/RZSht5C5q+Zbe6gy/3be+c:BHhan0cx2ho4

Score

10^/10

execution

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1196	Powershell.exe	34

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	Powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
824	powershell.exe
2808	powershell.exe
2360	Powershell.exe
1728	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
824	powershell.exe
2808	powershell.exe
2360	Powershell.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2360	Powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2808	824	powershell.exe	32
PID 824 wrote to memory of 2808	824	powershell.exe	32
PID 824 wrote to memory of 2808	824	powershell.exe	32
PID 2808 wrote to memory of 2628	2808	powershell.exe	33
PID 2808 wrote to memory of 2628	2808	powershell.exe	33
PID 2808 wrote to memory of 2628	2808	powershell.exe	33
PID 2360 wrote to memory of 1348	2360	Powershell.exe	37
PID 2360 wrote to memory of 1348	2360	Powershell.exe	37
PID 2360 wrote to memory of 1348	2360	Powershell.exe	37
PID 1348 wrote to memory of 1728	1348	cmd.exe	38
PID 1348 wrote to memory of 1728	1348	cmd.exe	38
PID 1348 wrote to memory of 1728	1348	cmd.exe	38

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dollar1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.vbs"
    3⤵
    PID:2628

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.bat
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\IHPWKPEVZAFOKFTDEAQASA.ps1'"
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.bat

Filesize
127B

MD5
267f90e0cee8f697121c7d2fb4adac39

SHA1
1a981c00e56ac26056f82265b121b8b79b518e94

SHA256
bfb6e3e481da85711794dffffeb8e8d73b34654c79d5eb979d0efa5759f72b7a

SHA512
106b386734ed981bf97fcd2fa1d69b455a3aca8e8916624db38b46ebc000b87d4c45db53d35d7c6797232e92cf9c115a441286bc8f408aafe293beba18800661

Download Submit
C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.ps1

Filesize
457B

MD5
519c80883e516f37113d65dd84a57b10

SHA1
50ba890d7389a025cbfce10f4a48f9f43fbf0f91

SHA256
afc98de9a030e5b9514854f86192cefef755f763f67018e98763e06c920dac20

SHA512
8caebf146421fbe1180384df8a5ff9162aee9c53672b219d5a87804aab8c9713eea7fca2b9b6b139346d0e21b459b89b274aab256d69550d9b858270616f49fc

Download Submit
C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\BHRJXGUUAIGNDKYKAISOEU.vbs

Filesize
3KB

MD5
3cfc71a284fb40178c610cbd49c5129d

SHA1
009788dfe6bc036b6b5bae079bdcbbdd1f12392f

SHA256
5138b8936ea8ce93eb71ad432c42d8699e50b45e3c8003229dff3e35e1dd350e

SHA512
f3cf1cf63ba7d885f936bd357be98a076dbd3f5b13f830e3b227c37619847333c541287ca9194ff64bdbe5f64106d4fb55fc68a7e1ce4bf48bc33ff0c22cea4e

Download Submit
C:\ProgramData\BHRJXGUUAIGNDKYKAISOEU\IHPWKPEVZAFOKFTDEAQASA.ps1

Filesize
501KB

MD5
62e4f84a9a51323b88c640342769d9af

SHA1
45c0d492749726d2795d61f4ba695acf9e2d5a52

SHA256
4a95dfbc8f5c0d0bfd89196601aac0022cf40660133482644b3a3cecb58c8c8c

SHA512
0d8009daa875de4be4fddbf2cd79813572db6b72d5333bdc0173e1597871fce1f5a695ec3d094d7db4c682072f526677131fdf8205e6a969bb2662fafd03de9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1K2P21QSZBQG4I151OUJ.temp

Filesize
7KB

MD5
17244126ac8dde57d3026e05d70c6c30

SHA1
2dbc8193f5da192836b4ec7c56f4daeb2a8d3507

SHA256
21dca91ca1a57422c32ed383173fc846973c2cf857c0198d3c00c0ccea53023a

SHA512
7bfd4b5c56a4c3b34e4a77217120810114e040bf7c08d28e36ac30e78d34795623bf73c60a5ce513fac7c3e621093ea78042d9f7c1c7905b3ce4a26ad884e6f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16314dee5b16608056c49326e5d68fc9

SHA1
3418c9b33b2c54d7b69a843ce4f39a86ab04c497

SHA256
8636819c3fcbc24db55c49d7f30ed48ec79ea3f3069a93818f009c45cf4a0273

SHA512
b77100d9aecc74d7e21d6e0e090f13934118242e312da823d4b23204af497b56d59e0541f336f2516ad7d7f1673ef80fc879f28bde99d1461441e6f130f2c094

Download Submit
memory/824-8-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/824-13-0x000007FEF68EE000-0x000007FEF68EF000-memory.dmp

Filesize
4KB

Download
memory/824-14-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/824-16-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/824-12-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/824-9-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/824-4-0x000007FEF68EE000-0x000007FEF68EF000-memory.dmp

Filesize
4KB

Download
memory/824-7-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/824-33-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/824-6-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/824-5-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2808-23-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-32-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing