Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15/10/2023, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
script.ps1
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
script.ps1
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral3
Sample
script.ps1
Resource
android-x64-20230831-en
Behavioral task
behavioral4
Sample
script.ps1
Resource
android-x64-arm64-20230831-en
Behavioral task
behavioral5
Sample
script.ps1
Resource
macos-20220504-en
General
-
Target
script.ps1
-
Size
12B
-
MD5
a9cc59a923a7097133d81844b71e601d
-
SHA1
c37893da65e654326e29d44c51ef18949de519f6
-
SHA256
358cc93f7731e36c49f6cc396b1f12856310009ca839e79aaad4befaf162abd8
-
SHA512
f4f01aea122b357c77d51db4a22d62ccf9095769ad0ea2ae5c51f39ca60562af182082d3ec0a58eb003960e00154d8492a44f890867db2578aecd7b9097885c0
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\services.msc mmc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mmc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1256 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2796 mmc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1256 powershell.exe Token: 33 2796 mmc.exe Token: SeIncBasePriorityPrivilege 2796 mmc.exe Token: 33 2796 mmc.exe Token: SeIncBasePriorityPrivilege 2796 mmc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2796 mmc.exe 2796 mmc.exe 2796 mmc.exe 2796 mmc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1256 wrote to memory of 2796 1256 powershell.exe 29 PID 1256 wrote to memory of 2796 1256 powershell.exe 29 PID 1256 wrote to memory of 2796 1256 powershell.exe 29
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"2⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2796
-