5295a4068b1de47c3385bd1608f84ef51b4bb8b6e0f867af7797a199da9378dc

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1
Size

457KB
MD5

5ff1aded34d5d6f0635f6f9861436886
SHA1

d798ff38d279754353ee88ff35bf46a87dc75484
SHA256

abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd
SHA512

b3d6b951c3130e8a834744cbebc78208b9e1393517ca40e4e3a5bdf391cb1c05c4a23ee88aaac61b1be5a163811069d97ecfdf372457607cc3716ea11a6d8402
SSDEEP

6144:6VDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nx2:snND98MDL

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2040	powershell.exe
2040	powershell.exe
1328	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1224	2040	powershell.exe	29
PID 2040 wrote to memory of 1224	2040	powershell.exe	29
PID 2040 wrote to memory of 1224	2040	powershell.exe	29
PID 1224 wrote to memory of 1012	1224	WScript.exe	30
PID 1224 wrote to memory of 1012	1224	WScript.exe	30
PID 1224 wrote to memory of 1012	1224	WScript.exe	30
PID 1012 wrote to memory of 1328	1012	cmd.exe	32
PID 1012 wrote to memory of 1328	1012	cmd.exe	32
PID 1012 wrote to memory of 1328	1012	cmd.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Unlimited\ISO\Binnot.bat

Filesize
96B

MD5
f1d747a7825a5db756d428a5254d244e

SHA1
7db56fe57492bd856c787cd2a836eff4f2ce5e01

SHA256
5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf

SHA512
4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.ps1

Filesize
781B

MD5
58ef18971b1520648e0c6d67036251ff

SHA1
68bd1ee657ff233f6a1ee453914aaecdeb845284

SHA256
226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3

SHA512
9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.vbs

Filesize
204B

MD5
8444901b66d6f83f3a684f1b44646868

SHA1
69c9c40aef3734959b4ce5f07005bf13c07646f9

SHA256
cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da

SHA512
7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc56171e5c5e1d408145ec3fc8b3cdc4

SHA1
f22979ca4218867b13c697eecd267991949a0d9d

SHA256
7e835320659002c243a14aa35f98b9b244d6191ec4d1fe05dd75834bf396656b

SHA512
280b322b3a09bc7ed01288c962b180d8436d21eb41d1d8f10f36a2442564b82225b568a9bbf4ba6d84ef8c2b5587230a90004f3ae085708abff195e96691f61b

Download Submit
memory/1328-79-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/1328-80-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/1328-82-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/1328-83-0x000000000275B000-0x0000000002792000-memory.dmp

Filesize
220KB

Download
memory/2040-69-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2040-62-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2040-61-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2040-60-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2040-58-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2040-59-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download