Analysis

  • max time kernel
    145s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 15:47

General

  • Target

    run.ps1

  • Size

    116B

  • MD5

    a7ace018fd3f518bc419f7e211609e01

  • SHA1

    deaed741f50f27d7a60a34b83cef84f905e0569f

  • SHA256

    01fda517b82e9a91c0269977ce1bf177850811b2861b399d2fb4a5e45095cfc6

  • SHA512

    7920e3c2fd54f821b44b778512bd031cfb2ffddd5ba36f89f0b04650ad610eb6ff0cf506111bc81328ca0746f3472506649fe9d48b1c26401cdd771f423c7b51

Score
7/10

Malware Config

Signatures

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\System32\RUNDLL32.EXE
      "C:\Windows\System32\RUNDLL32.EXE" C:\Users\Admin\AppData\Local\Temp\x.dll,s
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\RUNDLL32.EXE" C:\Users\Admin\AppData\Local\Temp\x.dll,s
        3⤵
          PID:2244

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4904-132-0x000001CA1BB70000-0x000001CA1BB92000-memory.dmp

      Filesize

      136KB

    • memory/4904-135-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

      Filesize

      10.8MB