abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-05-2023 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222.ps1
Size

457KB
MD5

5ff1aded34d5d6f0635f6f9861436886
SHA1

d798ff38d279754353ee88ff35bf46a87dc75484
SHA256

abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd
SHA512

b3d6b951c3130e8a834744cbebc78208b9e1393517ca40e4e3a5bdf391cb1c05c4a23ee88aaac61b1be5a163811069d97ecfdf372457607cc3716ea11a6d8402
SSDEEP

6144:6VDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nx2:snND98MDL

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2008	powershell.exe
2008	powershell.exe
672	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1096	2008	powershell.exe	28
PID 2008 wrote to memory of 1096	2008	powershell.exe	28
PID 2008 wrote to memory of 1096	2008	powershell.exe	28
PID 1096 wrote to memory of 1900	1096	WScript.exe	29
PID 1096 wrote to memory of 1900	1096	WScript.exe	29
PID 1096 wrote to memory of 1900	1096	WScript.exe	29
PID 1900 wrote to memory of 672	1900	cmd.exe	31
PID 1900 wrote to memory of 672	1900	cmd.exe	31
PID 1900 wrote to memory of 672	1900	cmd.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\222.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Unlimited\ISO\Binnot.bat

Filesize
96B

MD5
f1d747a7825a5db756d428a5254d244e

SHA1
7db56fe57492bd856c787cd2a836eff4f2ce5e01

SHA256
5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf

SHA512
4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.ps1

Filesize
781B

MD5
58ef18971b1520648e0c6d67036251ff

SHA1
68bd1ee657ff233f6a1ee453914aaecdeb845284

SHA256
226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3

SHA512
9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.vbs

Filesize
204B

MD5
8444901b66d6f83f3a684f1b44646868

SHA1
69c9c40aef3734959b4ce5f07005bf13c07646f9

SHA256
cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da

SHA512
7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
340e1993eb40b8bed81349fab46f89c5

SHA1
13acc43c5621e815bf6c8371f360b9fa29625fdc

SHA256
7caa47d4b27f7a6b91453329a3471a0b06ff6f7c67fc060aa15ff98385e6e46c

SHA512
abc68892589462b10615969593c6f92be3f6d6afda4683314ced7c1b083f039e8b6986692e1eb320b4f982041334a6c34f6b84502cb171c917478fb37b9093d9

Download Submit
memory/672-79-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/672-80-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/672-82-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/672-83-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/672-84-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2008-63-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2008-62-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2008-61-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2008-60-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/2008-58-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2008-59-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download