9fb547fac2c1d73cce68ad7f184b084dda5e3352b3bcb556e7d0a1868c06125d

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07/08/2023, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

short.ps1
Size

1KB
MD5

4d05108541bedc5f7a9f609f9061ce9d
SHA1

3cb702c417563ab13c6776f1633af1b96b299db4
SHA256

9fb547fac2c1d73cce68ad7f184b084dda5e3352b3bcb556e7d0a1868c06125d
SHA512

a6425ad446014a9af20ba953241e0381b7b539dfd18dd4a176a5d799296db3581c5b8387e29fdc76a54d5b7b5dabdde80967501765125d815e9ab4e6b74ad55e

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2080	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.bat	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2416	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2080	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeShutdownPrivilege	520	shutdown.exe
Token: SeRemoteShutdownPrivilege	520	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2416	WINWORD.EXE
2416	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2416	2080	powershell.exe	31
PID 2080 wrote to memory of 2416	2080	powershell.exe	31
PID 2080 wrote to memory of 2416	2080	powershell.exe	31
PID 2080 wrote to memory of 2416	2080	powershell.exe	31
PID 2080 wrote to memory of 520	2080	powershell.exe	32
PID 2080 wrote to memory of 520	2080	powershell.exe	32
PID 2080 wrote to memory of 520	2080	powershell.exe	32
PID 2416 wrote to memory of 2944	2416	WINWORD.EXE	34
PID 2416 wrote to memory of 2944	2416	WINWORD.EXE	34
PID 2416 wrote to memory of 2944	2416	WINWORD.EXE	34
PID 2416 wrote to memory of 2944	2416	WINWORD.EXE	34

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\short.ps1
1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\paypal.rtf"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2944
- C:\Windows\system32\shutdown.exe
  "C:\Windows\system32\shutdown.exe" /r /f /t 900
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c8a7efb42db7364f3625a053e141b1fd

SHA1
7ea3a9898aca76f9439af28eb2143ca4c220fc0c

SHA256
2019fe019fbdf2a859d8a180f796346623e1ab9bc413257c63bdcefe49521406

SHA512
8497f02a11b4b2f66c7eaea7fa8e020e6756b8c64f86e705facffe4cc68eb5afe06b7e2408e258cbf1ede588f8abb18edaf95fb18b4ee2d3d182568f87bd245f

Download Submit
C:\Users\Admin\paypal.rtf

Filesize
10KB

MD5
36d201da06db690c243a38fc791fc90c

SHA1
2c0637516ee2ab45ed7404b5c91ec054c6efd281

SHA256
03f9d6e19ea827c4cc317e06ffe15c5bdb49d930cac1c175cbfa38d7d104565f

SHA512
78287219cf00762c104ff05560ea0081ae67626de47af2a433ec82bdbc9e758238074c9a08578cace9429a17ed15ec296051a656cb46dee111de12048b5e5a67

Download Submit
memory/2080-63-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-71-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-62-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2080-58-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/2080-64-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2080-65-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-66-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2080-67-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2080-68-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2080-61-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2080-59-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2080-60-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-74-0x0000000071A6D000-0x0000000071A78000-memory.dmp

Filesize
44KB

Download
memory/2416-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-93-0x0000000071A6D000-0x0000000071A78000-memory.dmp

Filesize
44KB

Download
memory/2416-72-0x000000002FD40000-0x000000002FE9D000-memory.dmp

Filesize
1.4MB

Download
memory/2416-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-114-0x0000000071A6D000-0x0000000071A78000-memory.dmp

Filesize
44KB

Download