Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 15:47
Behavioral task
behavioral1
Sample
run.ps1
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
General
-
Target
run.ps1
-
Size
116B
-
MD5
a7ace018fd3f518bc419f7e211609e01
-
SHA1
deaed741f50f27d7a60a34b83cef84f905e0569f
-
SHA256
01fda517b82e9a91c0269977ce1bf177850811b2861b399d2fb4a5e45095cfc6
-
SHA512
7920e3c2fd54f821b44b778512bd031cfb2ffddd5ba36f89f0b04650ad610eb6ff0cf506111bc81328ca0746f3472506649fe9d48b1c26401cdd771f423c7b51
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4904 powershell.exe 4904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4904 powershell.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4904 wrote to memory of 4864 4904 powershell.exe 83 PID 4904 wrote to memory of 4864 4904 powershell.exe 83 PID 4864 wrote to memory of 2244 4864 RUNDLL32.EXE 84 PID 4864 wrote to memory of 2244 4864 RUNDLL32.EXE 84 PID 4864 wrote to memory of 2244 4864 RUNDLL32.EXE 84
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" C:\Users\Admin\AppData\Local\Temp\x.dll,s2⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\RUNDLL32.EXE" C:\Users\Admin\AppData\Local\Temp\x.dll,s3⤵PID:2244
-
-