6da2463344288a1cf81824cd298a9b0174d4047338e3aee709f571778a36975e

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-06-2023 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume1/Users/strial_tenant/Downloads/script1.ps1
Size

457KB
MD5

6cf32568a97a0cb8fe75acbe6cac8db2
SHA1

80e1d3113e12220910c5419abfa35aeaa7f3a0b1
SHA256

e34d98ea875e0ba6842ad296ebf6ea8fc908c6988fe50d7bf5cbb86787d73171
SHA512

5571adfcb274c58acae6b2dd629efe470fed23c3732507f15a46d5b00a99f186f922a0797ef1ccd0de8d5b7681f305521d1edebf990726bbf5fa5a8b464b0ddb
SSDEEP

6144:UVDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nxX:mnND98MDe

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
780	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1652	1408	powershell.exe	29
PID 1408 wrote to memory of 1652	1408	powershell.exe	29
PID 1408 wrote to memory of 1652	1408	powershell.exe	29
PID 1652 wrote to memory of 760	1652	WScript.exe	30
PID 1652 wrote to memory of 760	1652	WScript.exe	30
PID 1652 wrote to memory of 760	1652	WScript.exe	30
PID 760 wrote to memory of 780	760	cmd.exe	32
PID 760 wrote to memory of 780	760	cmd.exe	32
PID 760 wrote to memory of 780	760	cmd.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\strial_tenant\Downloads\script1.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Unlimited\ISO\Binnot.bat

Filesize
96B

MD5
f1d747a7825a5db756d428a5254d244e

SHA1
7db56fe57492bd856c787cd2a836eff4f2ce5e01

SHA256
5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf

SHA512
4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.ps1

Filesize
781B

MD5
58ef18971b1520648e0c6d67036251ff

SHA1
68bd1ee657ff233f6a1ee453914aaecdeb845284

SHA256
226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3

SHA512
9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.vbs

Filesize
204B

MD5
8444901b66d6f83f3a684f1b44646868

SHA1
69c9c40aef3734959b4ce5f07005bf13c07646f9

SHA256
cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da

SHA512
7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
82e15fd9b103646064e7f9312cf37164

SHA1
e09eac4c428b4885e005406770aa522f6cc00093

SHA256
d9b6a4c6bb1fe8b021fe606d974e9a1b3e428fb53c8588e527ec6fc94c1868bb

SHA512
66fefebd09139600fb781147d1e266091f158d37ca83900a0d88bb1c68bc09ee79e60f7f0b5a50580c59b18b4a172ed490b251eeb5210122e5e887166bb18b52

Download Submit
memory/780-79-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/780-80-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/780-83-0x000000000259B000-0x00000000025D2000-memory.dmp

Filesize
220KB

Download
memory/780-82-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1408-69-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1408-68-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1408-67-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1408-66-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1408-58-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1408-59-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

Filesize
32KB

Download