e05a116bf80f3d77481a9962caa9d0d8544f287dfd6b6c865054e8ea9c9f6826

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-09-2022 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Good.ps1
Size

1KB
MD5

f352e9ea5b48e556410878e8204434f5
SHA1

3e6be512bdf272021faf840ce76d149631c322f5
SHA256

e05a116bf80f3d77481a9962caa9d0d8544f287dfd6b6c865054e8ea9c9f6826
SHA512

8d08c60a887dec659abfae2f10fadb426640d3e3a56394b18b382dd0c43759c6dd7504f6fe17a720cd7c412bf6f97ae8f9fb0940ee11b3a64891446218444b21

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1956 powershell.exe
1956 powershell.exe
1956 powershell.exe
2024 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1956 powershell.exe
Token: SeDebugPrivilege 2024 powershell.exe

pid	process
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
2024	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.execmd.exe

description	pid	process	target process
PID 1956 wrote to memory of 1364	1956	powershell.exe	cmd.exe
PID 1956 wrote to memory of 1364	1956	powershell.exe	cmd.exe
PID 1956 wrote to memory of 1364	1956	powershell.exe	cmd.exe
PID 1364 wrote to memory of 2024	1364	cmd.exe	powershell.exe
PID 1364 wrote to memory of 2024	1364	cmd.exe	powershell.exe
PID 1364 wrote to memory of 2024	1364	cmd.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Good.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell < C:\Users\Admin\AppData\Roaming/educational.png
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5724d55d086a3ab9f6a9b9528af9ec69

SHA1
27ef22d19054b9576aad1b4ca505603268d6765f

SHA256
198d5ecacc1735580cc34e63272ec51fee6a2c3aa29a3673c8695ab7c2ed09f9

SHA512
eab7c79f214c7455e2678ae8c9974a4d3c2e65198c5e6545244dd9d197f9e77f92bdd8793a1a5e0e5d03bd2d099a856e18cbd9ef339102cda23d04208d9f3b02

Download Submit
C:\Users\Admin\AppData\Roaming\educational.png
Filesize
251B

MD5
292374cd21675135acb516497a730fd9

SHA1
f6e019093fc9a0952b7ae2c536b0b9f37071d0bf

SHA256
86cf5e4e86c0aae75158c04e13051275c341af7bf54b7a7cd49eced95d21b1b0

SHA512
491623e21d1740e234925bf0d1df1ac6402404bbcbad1d3e926ebdca0eeb55e1ab2322d38c7501f28b0a8deda853e087bfc22f34ca9b63995428ba8a3c03da32

Download Submit
memory/1364-58-0x0000000000000000-mapping.dmp

Download
memory/1956-55-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp

Filesize
10.1MB

Download
memory/1956-56-0x000007FEF28B0000-0x000007FEF340D000-memory.dmp

Filesize
11.4MB

Download
memory/1956-57-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/1956-59-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/1956-60-0x000000000269B000-0x00000000026BA000-memory.dmp

Filesize
124KB

Download
memory/1956-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/2024-62-0x0000000000000000-mapping.dmp

Download
memory/2024-65-0x000007FEF3DB0000-0x000007FEF47D3000-memory.dmp

Filesize
10.1MB

Download
memory/2024-66-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2024-67-0x000007FEF3250000-0x000007FEF3DAD000-memory.dmp

Filesize
11.4MB

Download
memory/2024-68-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2024-69-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download
memory/2024-70-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/2024-71-0x00000000029CB000-0x00000000029EA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads