Overview

overview

10

Static

static

10

ChrisTitus...rch.sh

ubuntu-18.04-amd64

8

ChrisTitus...rch.sh

debian-9-armhf

8

ChrisTitus...rch.sh

debian-9-mips

8

ChrisTitus...rch.sh

debian-9-mipsel

8

ChrisTitus...deb.sh

ubuntu-18.04-amd64

7

ChrisTitus...deb.sh

debian-9-armhf

5

ChrisTitus...deb.sh

debian-9-mips

5

ChrisTitus...deb.sh

debian-9-mipsel

5

ChrisTitus...it.ps1

windows7-x64

1

ChrisTitus...it.ps1

windows10-2004-x64

1

ChrisTitus...on.ps1

windows7-x64

1

ChrisTitus...on.ps1

windows10-2004-x64

1

ChrisTitus...ds.ps1

windows7-x64

8

ChrisTitus...ds.ps1

windows10-2004-x64

8

ChrisTitus...os.ps1

windows7-x64

8

ChrisTitus...os.ps1

windows10-2004-x64

8

ChrisTitus...py.ps1

windows7-x64

1

ChrisTitus...py.ps1

windows10-2004-x64

1

ChrisTitus...or.cmd

windows7-x64

1

ChrisTitus...or.cmd

windows10-2004-x64

1

ChrisTitus...at.ps1

windows7-x64

10

ChrisTitus...at.ps1

windows10-2004-x64

1

Analysis

  • max time kernel
    91s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2022 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ChrisTitusTech_debloatWin10_elQueAnda/cttscript/Individual Scripts/block-eos.ps1

  • Size

    287B

  • MD5

    3541079f602c74abea286f90fa8d755d

  • SHA1

    df2521cd6a44e656365a2a7564d5277539fb86e9

  • SHA256

    d7c476bcda256448d7f7fbbce49f5faa93318886388fcc41f28ff19cb6fa9eb9

  • SHA512

    eab99d0bd89b9a9216b030aed4a62a04d0c82946e7fb50aa9557af1019bb7c16f8ffbaf90d5b594ff9e3cfd43374190996ae0500d728dc1c038f8c50d40cd7ea

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\ChrisTitusTech_debloatWin10_elQueAnda\cttscript\Individual Scripts\block-eos.ps1"
    1⤵
    • Blocklisted process makes network request
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4260-132-0x0000016DF8530000-0x0000016DF8552000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4260-133-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4260-134-0x0000016DFC1C0000-0x0000016DFC966000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/4260-135-0x00007FFBC8BD0000-0x00007FFBC9691000-memory.dmp

    Filesize

    10.8MB

    Download