Overview

overview

7

Static

static

1

mal.ps1

windows10-1703-x64

7

Resubmissions

12/07/2023, 12:19

230712-phd1rsdb37 7

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    12/07/2023, 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mal.ps1

  • Size

    4KB

  • MD5

    983aeecbcdfd6cfc996979f4dc3c4c7b

  • SHA1

    b53fc7f273556a287ff54bc734e6978cd768a551

  • SHA256

    7a18ebff58717a59be8d1ee2b7c93836a7de1b0b384869595cf18a4a1aad4d65

  • SHA512

    ec61890b50771af192ab8557f0976d3c2579fc2e4903846dc11e8d65eb7be85dc1a40980aade1ee7359adc010f45e3f0cb64c07617cc88f6a048d0682337467a

  • SSDEEP

    96:Ao+xTiK7FdNU+/HdiPL5in5QfwaFjKuXTlzNihz+qXfSimPAPAIM:AnxTzVUSHdiPL5aa9RzNNc2

Score
7/10

Malware Config

Signatures

  • Checks QEMU agent file 2 TTPs 1 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\mal.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\mal.ps1"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\mal.ps1
        3⤵
        • Checks QEMU agent file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3436

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_galrg23l.d1k.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/3436-279-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-270-0x0000000009520000-0x0000000009532000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3436-345-0x0000000009510000-0x0000000009511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3436-343-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-283-0x000000000A470000-0x000000000CA88000-memory.dmp

    Filesize

    38.1MB

    Download

  • memory/3436-281-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-280-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-190-0x00000000098F0000-0x0000000009F68000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3436-477-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-241-0x0000000009320000-0x0000000009340000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3436-275-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-198-0x0000000009F70000-0x000000000A46E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3436-197-0x0000000009130000-0x0000000009152000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3436-196-0x0000000009270000-0x0000000009304000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3436-191-0x0000000008E70000-0x0000000008E8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3436-174-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-175-0x0000000006AE0000-0x0000000006AF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-155-0x0000000007200000-0x0000000007222000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3700-152-0x0000000006AF0000-0x0000000006B26000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3700-160-0x00000000084E0000-0x000000000852B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3700-159-0x0000000007EC0000-0x0000000007EDC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3700-158-0x0000000007B70000-0x0000000007EC0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3700-157-0x0000000007920000-0x0000000007986000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3700-156-0x0000000007B00000-0x0000000007B66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3700-161-0x0000000008130000-0x00000000081A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3700-153-0x0000000006CB0000-0x0000000006CC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-154-0x00000000072F0000-0x0000000007918000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4364-278-0x000001BA7E6F0000-0x000001BA7E700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-277-0x000001BA7E6F0000-0x000001BA7E700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-276-0x000001BA7E6F0000-0x000001BA7E700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-125-0x000001BA7E700000-0x000001BA7E722000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4364-143-0x000001BA7E6F0000-0x000001BA7E700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-145-0x000001BA7E6F0000-0x000001BA7E700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-144-0x000001BA7E6F0000-0x000001BA7E700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-128-0x000001BA7E8B0000-0x000001BA7E926000-memory.dmp

    Filesize

    472KB

    Download