8a66f7bf189f984691367d3cab7c59c69ccdc4d1dcdf72bce2d751f5c62cb89e

General

Target

trigger.ps1
Size

32B
MD5

729c74cc2a550d64e3e91d1211f55e67
SHA1

e3a34176b9df0cf5282c8fe37efa47f1a8827e60
SHA256

8a66f7bf189f984691367d3cab7c59c69ccdc4d1dcdf72bce2d751f5c62cb89e
SHA512

cc6ff58605a04636689dfdcaa7d06d0cf2b77e74fc721196d37420181dd4d6f692ce8c8be1e68c15e37eab5dcae1fc81c4600aeb40c98924939ba3a7ddb0ba21

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4140	powershell.exe
21	4140	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
47	228	Process not Found
21	4140	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1000	updater.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4140	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2448	1000	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
112	MicrosoftEdgeUpdate.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4140	powershell.exe
4140	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 1000	4140	powershell.exe	95
PID 4140 wrote to memory of 1000	4140	powershell.exe	95
PID 4140 wrote to memory of 1000	4140	powershell.exe	95

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\3792df6c-137e-4fd3-b397-6ac6e27786ec\updater.exe
  "C:\Users\Admin\AppData\Local\3792df6c-137e-4fd3-b397-6ac6e27786ec\updater.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 304
    3⤵
    - Program crash
    PID:2448

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTFEODZBNDYtNTFFQi00NjlFLUIzRTEtRjE3QTZFMERFMjYwfSIgdXNlcmlkPSJ7NTY0ODEzRjctMDFFRS00MkJBLUE0QjktRjM0NkQ3MThBOUYwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7N0NFQTNEQUItMjJBMS00QkJELThCRjktODZBNjMxNzI5Q0E0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjEwMjAyOTEzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1000 -ip 1000
1⤵
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3792df6c-137e-4fd3-b397-6ac6e27786ec\updater.exe

Filesize
3.2MB

MD5
c1ab7781370290e0f7d8ea98705e8c84

SHA1
bf2cc6fe244d17f05d0185d17758fd726562afee

SHA256
17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e

SHA512
f28465ca2cad0c3476a867acad8f2d530fcddf8aaa83f5003566781e727846192a5519fce89d597d20b9291e8b462f4c34124ce6cfca95387b7547368892f37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bepychqj.2s4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1000-83-0x00000000009D0000-0x0000000000E63000-memory.dmp

Filesize
4.6MB

Download
memory/1000-80-0x0000000000E21000-0x0000000000E22000-memory.dmp

Filesize
4KB

Download
memory/1000-79-0x00000000009D0000-0x0000000000E63000-memory.dmp

Filesize
4.6MB

Download
memory/1000-78-0x0000000000E21000-0x0000000000E22000-memory.dmp

Filesize
4KB

Download
memory/1000-77-0x00000000009D0000-0x0000000000E63000-memory.dmp

Filesize
4.6MB

Download
memory/4140-11-0x00007FFD23370000-0x00007FFD23E31000-memory.dmp

Filesize
10.8MB

Download
memory/4140-16-0x00007FFD23370000-0x00007FFD23E31000-memory.dmp

Filesize
10.8MB

Download
memory/4140-15-0x00007FFD23373000-0x00007FFD23375000-memory.dmp

Filesize
8KB

Download
memory/4140-13-0x000001DFEE740000-0x000001DFEEEE6000-memory.dmp

Filesize
7.6MB

Download
memory/4140-12-0x00007FFD23370000-0x00007FFD23E31000-memory.dmp

Filesize
10.8MB

Download
memory/4140-0-0x00007FFD23373000-0x00007FFD23375000-memory.dmp

Filesize
8KB

Download
memory/4140-10-0x000001DFEDB60000-0x000001DFEDB82000-memory.dmp

Filesize
136KB

Download
memory/4140-86-0x00007FFD23370000-0x00007FFD23E31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing