fa8f6002a8d571256dc88960a69ab44c7cbf65227c45e5b4750007d5749bbd44

Analysis

max time kernel
394s
max time network
400s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aggah.ps1
Size

1.1MB
MD5

8763a2445fde1b8c315ac06e4123207a
SHA1

84e8a98f70acce9988adf826ca0c52aaf66b21c2
SHA256

fa8f6002a8d571256dc88960a69ab44c7cbf65227c45e5b4750007d5749bbd44
SHA512

57b8fa11f322fd4f39608fa511b21c4560c9812743dfe57f49297995aad57b2945c0d370e12aa343cb84374126eb3bb51a20555db564255963512a19793cde4f
SSDEEP

12288:Cjx24c7RmYLQoSlhO5vLIyEDlzvOLHCKzR6VpPXncijT9L:CeRm6QoSlhOXqrOLHCn4ijTN

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
284	powershell.exe
284	powershell.exe
284	powershell.exe
284	powershell.exe
284	powershell.exe
284	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1788 powershell.exe
Token: SeDebugPrivilege 284 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 308 wrote to memory of 284	308	cmd.exe	powershell.exe
PID 308 wrote to memory of 284	308	cmd.exe	powershell.exe
PID 308 wrote to memory of 284	308	cmd.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\aggah.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -ep unrestricted
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ea4e44d863df0a239d86cf79f1fc07fc

SHA1
29fba16a5fea07971fc0b5b13ef11a3719e4fcaf

SHA256
2d5fd8d42f036c4fa1f47e0458a7f7cb59f29cd59f63a8123fe37f1b2c18af49

SHA512
8a6988f3acc5bd30b91a4a886c7d62ab738ec6d77afe63f968bad31694352b8b8adbb05237536adfd31ac640d398b088a293a212b3ce83cd8235cc9768048485

Download Submit
memory/284-70-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/284-69-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/284-74-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/284-64-0x0000000000000000-mapping.dmp

Download
memory/284-72-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/284-71-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/284-68-0x000007FEEE4C0000-0x000007FEEF01D000-memory.dmp

Filesize
11.4MB

Download
memory/284-67-0x000007FEF2880000-0x000007FEF32A3000-memory.dmp

Filesize
10.1MB

Download
memory/284-75-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/284-73-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/1788-63-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1788-55-0x000007FEF3DB0000-0x000007FEF47D3000-memory.dmp

Filesize
10.1MB

Download
memory/1788-61-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/1788-56-0x000007FEF2750000-0x000007FEF32AD000-memory.dmp

Filesize
11.4MB

Download
memory/1788-54-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download
memory/1788-60-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1788-59-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/1788-58-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1788-57-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1788-62-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads