Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 17:36
Static task
static1
Behavioral task
behavioral1
Sample
BF.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
BF.vbs
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
teased/mammary.ps1
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
teased/mammary.ps1
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
teased/stiffeners.vbs
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
teased/stiffeners.vbs
Resource
win10v2004-20221111-en
General
-
Target
teased/mammary.ps1
-
Size
363B
-
MD5
1afca7e01104c41276d5407b5a26a4db
-
SHA1
a65e352c96a6d7c61741503874e3b395a17d3c1b
-
SHA256
ade01ba047aea55733967891270a531473996e31d8b38f02d56f6d2102d1a393
-
SHA512
7d7648ae9532196508d08cf7954144c3c25617ebfde58b64e4ef7fba8349457e3dca5cdb75184ae6cbf828a5dd8b4cb016f1854df3405ea2ca6ed952bbf9d0e9
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 1640 powershell.exe 1640 powershell.exe 1640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1640 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1640 wrote to memory of 828 1640 powershell.exe rundll32.exe PID 1640 wrote to memory of 828 1640 powershell.exe rundll32.exe PID 1640 wrote to memory of 828 1640 powershell.exe rundll32.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\teased\mammary.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\users\public\marqueesInvariance.txt DrawThemeIcon2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/828-59-0x0000000000000000-mapping.dmp
-
memory/1640-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB
-
memory/1640-55-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmpFilesize
10.1MB
-
memory/1640-56-0x000007FEF2A50000-0x000007FEF35AD000-memory.dmpFilesize
11.4MB
-
memory/1640-57-0x00000000025D4000-0x00000000025D7000-memory.dmpFilesize
12KB
-
memory/1640-58-0x000000001B6E0000-0x000000001B9DF000-memory.dmpFilesize
3.0MB
-
memory/1640-60-0x00000000025D4000-0x00000000025D7000-memory.dmpFilesize
12KB
-
memory/1640-61-0x00000000025DB000-0x00000000025FA000-memory.dmpFilesize
124KB