Analysis
-
max time kernel
141s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 08:22
Static task
static1
Behavioral task
behavioral1
Sample
t.png.ps1
Resource
win7-20230220-en
General
-
Target
t.png.ps1
-
Size
256KB
-
MD5
ec3fb005182c03e31ad5f652fcaf433a
-
SHA1
1d1533e4c07dc0f21235e2011f1e99e263aa1114
-
SHA256
6e39cc4bf7d911b9b6b47d0ca860df4b405386a8232943cd9e4a7f03d2027c0c
-
SHA512
8ce1740ff066dae5edeffd56fe79e597a66ecce8e4fc83563c2e772461a4e5978aa44db531f74fad38db0a1e0aae0d4d9bf53cba3b43daa77f45b43be2e8fb78
-
SSDEEP
6144:dhMHd8wF9VtLr3EXGpI5cGIE+QI33INenAZYn+FphxVC4werLfEM2QI6ii4jqJrB:0Ht9VtLr3EXGpI5cGIp3INenAZQ+Fphx
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1880 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1432 powershell.exe 904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 904 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1432 wrote to memory of 1880 1432 powershell.exe 29 PID 1432 wrote to memory of 1880 1432 powershell.exe 29 PID 1432 wrote to memory of 1880 1432 powershell.exe 29 PID 1932 wrote to memory of 300 1932 taskeng.exe 31 PID 1932 wrote to memory of 300 1932 taskeng.exe 31 PID 1932 wrote to memory of 300 1932 taskeng.exe 31 PID 300 wrote to memory of 1684 300 WScript.exe 32 PID 300 wrote to memory of 1684 300 WScript.exe 32 PID 300 wrote to memory of 1684 300 WScript.exe 32 PID 1684 wrote to memory of 1584 1684 cmd.exe 34 PID 1684 wrote to memory of 1584 1684 cmd.exe 34 PID 1684 wrote to memory of 1584 1684 cmd.exe 34 PID 1584 wrote to memory of 904 1584 cmd.exe 35 PID 1584 wrote to memory of 904 1584 cmd.exe 35 PID 1584 wrote to memory of 904 1584 cmd.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\t.png.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc minute /mo 2 /tn PDF /tr C:\ProgramData\PDF\PDF.vbs2⤵
- Creates scheduled task(s)
PID:1880
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5D951316-2387-4D9B-90B7-32DB88488FC1} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\PDF\PDF.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\System32\cmd.execmd /c ""C:\ProgramData\PDF\1.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\cmd.exeCMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"4⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\PDF\PDF.ps1"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89B
MD5a7f20549327da521bf176b6faa76e623
SHA1b9b22202b9d3d43ffa6cbf2f3f81dc7f5b06c605
SHA256a2099940d9f7f9a0a603a5a36ef2b24eef49f2cb428539949a6d75261faaba46
SHA5125cac6f996aa1bb4dd11a39d3001da243c6f020bc1a3d86a36ec773d45e479514b006e3b3d8782b1eaab628d0fefdb987495308b9c88f38667f875179771f4823
-
Filesize
255KB
MD5ee39cd0d14321044da4e3e548392983c
SHA14f04ebde6c0d04a5837bc81d062d7b14f7738168
SHA25686f1d81d4d4f866442b384394e35d1a8058bbe843cc0d8896b1655d3ab3cf886
SHA512bd2817d4ef8367a0c2f7dfc838aef559c16a703d95f887b053da3bde95f4ab709cbbfde2b22c829d9dccb52abb8a708868a0f327031eeae9584764d3fc3a7ad4
-
Filesize
120B
MD530e4773314799aa0e1fd7761cae6e609
SHA1d1b5a371a7555e99a7602ae6ee8028ac0f0462c4
SHA256dc592583d072f325b7a0a54d53499f32ef95c731344cc10400f0bb03e7db4720
SHA512fcbeca634cb6fe2d0ea4f726f09b4a35917615467a562e9d73cd235cd337bb797fb6a996f0569e83f4f858c0226b84fbd2d0721bea47d1039e5ffe6ebca0bb8d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58cff7d5d16065ca3ac15b9c4dc380c81
SHA1c229c43ad8dbf6c3052d882709b7c9c94c23b43b
SHA256f46a56882546fb89e822aa24665a6534adde40790ff594cefb2cd30e027d2319
SHA512b887d1440c34255bd71f583fc74a7db9d8159d2b211a67b9228e125826f830b7e024c87ec9e2b9a223955bd8499fedcac4556d515df7121b2588c91d4b1c170e