Analysis
-
max time kernel
40s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 13:43
Static task
static1
Behavioral task
behavioral1
Sample
AS.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
AS.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
peseta/flours.js
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
peseta/flours.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
peseta/gratiae.ps1
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
peseta/gratiae.ps1
Resource
win10v2004-20220812-en
General
-
Target
peseta/gratiae.ps1
-
Size
367B
-
MD5
5479e1a9617b0222d0a8f001c63fb23b
-
SHA1
0c5428239a418c8586d1699adafeb2bddb0f8c95
-
SHA256
e6f4fe47c6e08c3b995b5e69efee09a853426607d64715bb1cf215640f785d58
-
SHA512
7bc5e090fbabd4746c1a075ed4d7bbfbdb4e0a235ff8c1be5e8257d5daf4f3e22a3f04d25d21108446a684cc7371eea6882d3c1d855a3c12e868a2e8d01d4ffa
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1044 powershell.exe 1044 powershell.exe 1044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1044 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1044 wrote to memory of 1552 1044 powershell.exe rundll32.exe PID 1044 wrote to memory of 1552 1044 powershell.exe rundll32.exe PID 1044 wrote to memory of 1552 1044 powershell.exe rundll32.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\peseta\gratiae.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\users\public\test1.txt DrawThemeIcon2⤵PID:1552
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-54-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmpFilesize
8KB
-
memory/1044-55-0x000007FEF3930000-0x000007FEF4353000-memory.dmpFilesize
10.1MB
-
memory/1044-57-0x00000000024C4000-0x00000000024C7000-memory.dmpFilesize
12KB
-
memory/1044-56-0x000007FEF2DD0000-0x000007FEF392D000-memory.dmpFilesize
11.4MB
-
memory/1044-58-0x00000000024CB000-0x00000000024EA000-memory.dmpFilesize
124KB
-
memory/1044-60-0x00000000024C4000-0x00000000024C7000-memory.dmpFilesize
12KB
-
memory/1044-61-0x00000000024CB000-0x00000000024EA000-memory.dmpFilesize
124KB
-
memory/1552-59-0x0000000000000000-mapping.dmp