Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 15:47
Behavioral task
behavioral1
Sample
run.ps1
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
General
-
Target
run.ps1
-
Size
116B
-
MD5
a7ace018fd3f518bc419f7e211609e01
-
SHA1
deaed741f50f27d7a60a34b83cef84f905e0569f
-
SHA256
01fda517b82e9a91c0269977ce1bf177850811b2861b399d2fb4a5e45095cfc6
-
SHA512
7920e3c2fd54f821b44b778512bd031cfb2ffddd5ba36f89f0b04650ad610eb6ff0cf506111bc81328ca0746f3472506649fe9d48b1c26401cdd771f423c7b51
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1492 powershell.exe 1492 powershell.exe 1492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1492 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
powershell.exeRUNDLL32.EXEdescription pid process target process PID 1492 wrote to memory of 1712 1492 powershell.exe RUNDLL32.EXE PID 1492 wrote to memory of 1712 1492 powershell.exe RUNDLL32.EXE PID 1492 wrote to memory of 1712 1492 powershell.exe RUNDLL32.EXE PID 1712 wrote to memory of 1984 1712 RUNDLL32.EXE rundll32.exe PID 1712 wrote to memory of 1984 1712 RUNDLL32.EXE rundll32.exe PID 1712 wrote to memory of 1984 1712 RUNDLL32.EXE rundll32.exe PID 1712 wrote to memory of 1984 1712 RUNDLL32.EXE rundll32.exe PID 1712 wrote to memory of 1984 1712 RUNDLL32.EXE rundll32.exe PID 1712 wrote to memory of 1984 1712 RUNDLL32.EXE rundll32.exe PID 1712 wrote to memory of 1984 1712 RUNDLL32.EXE rundll32.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" C:\Users\Admin\AppData\Local\Temp\x.dll,s2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\RUNDLL32.EXE" C:\Users\Admin\AppData\Local\Temp\x.dll,s3⤵PID:1984
-
-