bf1de2f61fb37c4e35c6f270ec1b1e3e637a9ae1a637f05f8889337659dc26b8

Resubmissions

20/05/2023, 03:00

230520-dhgk4sab52 7

20/05/2023, 02:56

230520-dfad1scg9v 7

Analysis

max time kernel
28s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

memez-master/install.ps1
Size

738B
MD5

63218cee4634763d4eab7c4828631545
SHA1

34bb64b46a3c767ca74dea18459768023fcf036b
SHA256

8031cd26ed09c732ca5603725d1a337ed5e2f24f25f26a2fa4f696f336e7e781
SHA512

e1f15e5b109fcc90e3e3631d233f23d65db54db5b669541e9c29415dd96bf2643d99bee71f0e022ef208011c24d9b538cc39fc2d9cd55bae4c29fef2d6152ae5

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
772	icacls.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
860	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	powershell.exe
Token: SeRestorePrivilege	772	icacls.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 772	860	powershell.exe	29
PID 860 wrote to memory of 772	860	powershell.exe	29
PID 860 wrote to memory of 772	860	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\memez-master\install.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\system32\icacls.exe
  "C:\Windows\system32\icacls.exe" C:\memez.exe /setowner admin
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-58-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/860-61-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/860-60-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/860-62-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/860-59-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/860-63-0x000000000298B000-0x00000000029C2000-memory.dmp

Filesize
220KB

Download