d3184c9b86460714706d3d522c89e5b53d74a386953d3dd9a59c4b7c6a9e10fc

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
Size

226KB
MD5

ca7205724f31290cdef29a7e0f0743d0
SHA1

e7dbb3b8bd7a31698f97a21b25cd03e67f8be91f
SHA256

3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d
SHA512

661e18b9d63c8ff1849f7b6ba81b5d44a68fc3e605c207d965a7e4841e244a114881a6f0ca77e1ad18fbef2d881327ea460333e27741521107bf2314e7b65c98
SSDEEP

1536:vNUP7fvRYjFYFWPApqqPDXdkSajySbVeJ+ARXqX3XXSX3XHCyyvL93yVxgQ51kIN:G+/mjLnfhUd3tNTrrD4Qzxu

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1388 powershell.exe
1388 powershell.exe
1388 powershell.exe
840 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1388 powershell.exe
Token: SeDebugPrivilege 840 powershell.exe

pid	process
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
840	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exeWScript.exe

description	pid	process	target process
PID 1388 wrote to memory of 992	1388	powershell.exe	WScript.exe
PID 1388 wrote to memory of 992	1388	powershell.exe	WScript.exe
PID 1388 wrote to memory of 992	1388	powershell.exe	WScript.exe
PID 992 wrote to memory of 840	992	WScript.exe	powershell.exe
PID 992 wrote to memory of 840	992	WScript.exe	powershell.exe
PID 992 wrote to memory of 840	992	WScript.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3cb8519b3d33b567e68289dd057629c12388ca19ee2cd0bfd2dcbefe8728402d.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\BT.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &{$a='ReadAllText';$T='C:\ProgramData\Document\BT.ps1';IEx([<#1#>IO.File<#1#>]::$a($T))}
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Document\BT.vbs

Filesize
433B

MD5
f7da689911a44bf28a2908f1522267f6

SHA1
8a07c961848dcbc095e22edeab099ef3f36ab2b6

SHA256
60e6a5212c5d64aa96bcb296aeb044067a6c8910b39e84b6b36eec74c3a1d834

SHA512
8dee32c503a4b516e8d8e4e8eefe3fb166c8abd4a49d294e583a5847030048fad0b2a90043252563d49a55978dad475ff6d5a4b215feed9b2b3d82a9b4674dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a4536c1bbdc25d1a01c842448091ef41

SHA1
9ead72cd183bf82737db8fca279003ac287d85a5

SHA256
93edadef0c6deb59e065d8a4a7aa01cf2baebe84c5b385180218574c6e55af2a

SHA512
db906977bb434883593fd405701794d322961b567a87520f14b603d19361cd8d85478ac4265922b88edcc51238cac74accc1c44fac9cdd45eeb0f7e28f69aeba

Download Submit
memory/840-77-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/840-75-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/840-76-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/840-78-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/840-79-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/840-80-0x000000000252B000-0x0000000002562000-memory.dmp

Filesize
220KB

Download
memory/1388-61-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/1388-62-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1388-60-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1388-59-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1388-58-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download