Overview

overview

10

Static

static

1

doc.ps1

windows7-x64

10

doc.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2023 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc.ps1

  • Size

    110KB

  • MD5

    b82b2c3c446169694311b4597299d9a7

  • SHA1

    3fc783e954d21bc9046f23c52e303864680f3a66

  • SHA256

    b9673d9fb629c0e639e0bfb0af0a85f47a21676d83af4d3d5db6c422bd696cb5

  • SHA512

    352ae9d240919b2392df734449728cd544a698ab779b5523af9d0c9bd6aaf2a47d2367e255d7eb0e8509c209f935da5ab32b7d881dbc6d4f99175edec34d6fe2

  • SSDEEP

    3072:NY119DxPJgetKD9RGfzyqTlcUyfZwwC9V:q19DxPJgetKD9RGfzyqTlcdfZwwC9V

Score
10/10
sloadstealertrojan

Malware Config

Signatures

  • sLoad

    sLoad is a PowerShell downloader that can exfiltrate system information and deliver additional payloads.

    trojanstealersload
  • Drops desktop.ini file(s) 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\doc.ps1
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c copy /Z c:\Windows\SysWOW64\bitsadmin.exe SmYdFe.exe"
      2⤵
        PID:1696
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /query /FO CSV /v
        2⤵
          PID:320
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" "/c copy /Z c:\Windows\SysWOW64\wscript.exe oiIBNEQt.exe"
          2⤵
            PID:1260
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" "/C schtasks /F /%windir:~0,1%reate /sc minute /mo 3 /TN "S0gPRFSHGJr" /ST 07:00 /TR "c:\users\Admin\AppData\Roaming\\gPRFSHGJr\oiIBNEQt.exe /E:vbscript c:\users\Admin\AppData\Roaming\\gPRFSHGJr\gvTIYcJn.tmp""
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1536
            • C:\Windows\system32\schtasks.exe
              schtasks /F /Create /sc minute /mo 3 /TN "S0gPRFSHGJr" /ST 07:00 /TR "c:\users\Admin\AppData\Roaming\\gPRFSHGJr\oiIBNEQt.exe /E:vbscript c:\users\Admin\AppData\Roaming\\gPRFSHGJr\gvTIYcJn.tmp""
              3⤵
              • Creates scheduled task(s)
              PID:1848

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1168-58-0x000000001B180000-0x000000001B462000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1168-59-0x0000000002390000-0x0000000002398000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1168-62-0x00000000024F0000-0x0000000002570000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1168-66-0x00000000024F0000-0x0000000002570000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1168-63-0x00000000024F0000-0x0000000002570000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1168-67-0x00000000024F0000-0x0000000002570000-memory.dmp

          Filesize

          512KB

          Download