Analysis
-
max time kernel
146s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 05:13
Static task
static1
Behavioral task
behavioral1
Sample
t.ps1
Resource
win7-20230220-en
General
-
Target
t.ps1
-
Size
256KB
-
MD5
ec3fb005182c03e31ad5f652fcaf433a
-
SHA1
1d1533e4c07dc0f21235e2011f1e99e263aa1114
-
SHA256
6e39cc4bf7d911b9b6b47d0ca860df4b405386a8232943cd9e4a7f03d2027c0c
-
SHA512
8ce1740ff066dae5edeffd56fe79e597a66ecce8e4fc83563c2e772461a4e5978aa44db531f74fad38db0a1e0aae0d4d9bf53cba3b43daa77f45b43be2e8fb78
-
SSDEEP
6144:dhMHd8wF9VtLr3EXGpI5cGIE+QI33INenAZYn+FphxVC4werLfEM2QI6ii4jqJrB:0Ht9VtLr3EXGpI5cGIp3INenAZQ+Fphx
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1708 powershell.exe 776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1708 powershell.exe Token: SeDebugPrivilege 776 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1708 wrote to memory of 572 1708 powershell.exe 29 PID 1708 wrote to memory of 572 1708 powershell.exe 29 PID 1708 wrote to memory of 572 1708 powershell.exe 29 PID 828 wrote to memory of 904 828 taskeng.exe 31 PID 828 wrote to memory of 904 828 taskeng.exe 31 PID 828 wrote to memory of 904 828 taskeng.exe 31 PID 904 wrote to memory of 1196 904 WScript.exe 32 PID 904 wrote to memory of 1196 904 WScript.exe 32 PID 904 wrote to memory of 1196 904 WScript.exe 32 PID 1196 wrote to memory of 1552 1196 cmd.exe 34 PID 1196 wrote to memory of 1552 1196 cmd.exe 34 PID 1196 wrote to memory of 1552 1196 cmd.exe 34 PID 1552 wrote to memory of 776 1552 cmd.exe 35 PID 1552 wrote to memory of 776 1552 cmd.exe 35 PID 1552 wrote to memory of 776 1552 cmd.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn PDF /tr C:\ProgramData\PDF\PDF.vbs2⤵
- Creates scheduled task(s)
PID:572
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CA6A2BE8-471D-47F3-ACE8-49792FA15D64} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\PDF\PDF.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\PDF\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\cmd.exeCMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89B
MD5a7f20549327da521bf176b6faa76e623
SHA1b9b22202b9d3d43ffa6cbf2f3f81dc7f5b06c605
SHA256a2099940d9f7f9a0a603a5a36ef2b24eef49f2cb428539949a6d75261faaba46
SHA5125cac6f996aa1bb4dd11a39d3001da243c6f020bc1a3d86a36ec773d45e479514b006e3b3d8782b1eaab628d0fefdb987495308b9c88f38667f875179771f4823
-
Filesize
255KB
MD5ee39cd0d14321044da4e3e548392983c
SHA14f04ebde6c0d04a5837bc81d062d7b14f7738168
SHA25686f1d81d4d4f866442b384394e35d1a8058bbe843cc0d8896b1655d3ab3cf886
SHA512bd2817d4ef8367a0c2f7dfc838aef559c16a703d95f887b053da3bde95f4ab709cbbfde2b22c829d9dccb52abb8a708868a0f327031eeae9584764d3fc3a7ad4
-
Filesize
120B
MD530e4773314799aa0e1fd7761cae6e609
SHA1d1b5a371a7555e99a7602ae6ee8028ac0f0462c4
SHA256dc592583d072f325b7a0a54d53499f32ef95c731344cc10400f0bb03e7db4720
SHA512fcbeca634cb6fe2d0ea4f726f09b4a35917615467a562e9d73cd235cd337bb797fb6a996f0569e83f4f858c0226b84fbd2d0721bea47d1039e5ffe6ebca0bb8d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD524d23a69357cf6c2573bb1fe89afe3d6
SHA187309ae898729f63412a314c821957cd18448e19
SHA2566e3563cdecd14b5155fbde95b78d1843111b7d7707f6dbf14183ce07f81c7b21
SHA512e8681b9ad7ac865a5dbcaa354ba4d803b73a712910c67b8ee46a8bc5d1eab651cfcb68dd5cdb3fc5cf7e5bd88ad448589d1e94b32eab350baadd6d79e4c7c7d7