Analysis
-
max time kernel
128s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
15/11/2023, 17:41
Static task
static1
Behavioral task
behavioral1
Sample
16112023_0141_15112023_Invoice#2356876431_8X.ps1
Resource
win7-20231023-en
General
-
Target
16112023_0141_15112023_Invoice#2356876431_8X.ps1
-
Size
424KB
-
MD5
a4f5f2b9250e61e89e53a30f976a4823
-
SHA1
8f5bcdfdc3b3b7081d03e60b8af2b377273fe2fb
-
SHA256
0979a391997dc0b6bdf23949b5f99ea2ef1cf51287c63b7332bbd498e5cf9514
-
SHA512
9955f9951e1eb74287a69bc9a2fac68ac2f3d4e96e3f12ec238090a7a7044771f20628d02d2562319e22f537e98ff7196d56d2f74c6a7af7b2276a0e23cf2e33
-
SSDEEP
3072:YLxEUM7rH9yLY9K9J7xV1G+uadUEAGnTBdjaATUfWwLC5ImBK5W9Fp81fABAUves:YLxEUM7rH9yLY9K9ZTUOwqYyfbZ
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2368 powershell.exe 2556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2216 2508 taskeng.exe 32 PID 2508 wrote to memory of 2216 2508 taskeng.exe 32 PID 2508 wrote to memory of 2216 2508 taskeng.exe 32 PID 2216 wrote to memory of 2496 2216 WScript.exe 33 PID 2216 wrote to memory of 2496 2216 WScript.exe 33 PID 2216 wrote to memory of 2496 2216 WScript.exe 33 PID 2496 wrote to memory of 2556 2496 cmd.exe 35 PID 2496 wrote to memory of 2556 2496 cmd.exe 35 PID 2496 wrote to memory of 2556 2496 cmd.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\16112023_0141_15112023_Invoice#2356876431_8X.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
C:\Windows\system32\taskeng.exetaskeng.exe {1C29B10E-5BA0-49AA-B990-2D5E8C044E9C} S-1-5-21-3618187007-3650799920-3290345941-1000:BPDFUYWR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\Conted.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\Conted.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\Conted.ps1'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52113bd123bfbbc45fde3ae97f7e9ff10
SHA1d9c8afa1cc5e816578d80de4a7055b3a5e3d80c3
SHA2562534810eca9d74ad279fc3735cfbefade94170f3760f8b6ede93494489082c4f
SHA51231ae9deb5b2f97169dbb95a46e550df59f2c92928f589257fed909a49b3c46ec963d5a70f5916c785e87a66c3746d1440c58c3011510dfc5c5cc02d3b4c3e8f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6I0U377YYY9AQNUFJNY2.temp
Filesize7KB
MD50cdecc671fafd6a163b3133fc80d572a
SHA160866b8f0ac098dc47f35cc0b5a3412da2c76856
SHA256993ed93176ea7fcff8de7b6328b4b0ff6e43fd747c0fa4d9bb8423f17539137f
SHA512e15c041681ee6ad4aac4b1d79a92726b721d3122afb5ee06bce88fb8b7e91cecba1ec161b229ffa1d473fd4079d5f0fe481e6703fcbd3184ff7ad8721da5b735
-
Filesize
205B
MD5759278dd3dc3679bf7efd1ec681c0aa1
SHA172b37494696deea940ac75b4c4e06e2b6ce419ef
SHA256cba344447d8228d88c93d64ffdcda1de8562ef41adc4901191548e00bbfc5f19
SHA5128b4f63354c5aa1ec4102e7aadbb2da34b2a0ba2d3ae6b8d22a70fd75c3c3b9e70cd4ce8128bd50cb400970697c49810c4ef69f96352e36ba4f2b7a647ab8a27f
-
Filesize
422KB
MD5ba03b4e7a4ad2bd4a2f5bce388d8f489
SHA1f71681ee8115d4349084ad5c26e790a926bbea84
SHA256d6b98f02b41a30cd4578acfd549e2d6fe64036f00c1830193d342c0454068b5a
SHA5126dc307567baa0a1def8b9e480477985ccbdb7e5628c4d972a5804b282006d0717ddd728c449f8fbfcd2669a1a868c516d5924ab3a1f3d1b8e4bd1272fc04c665
-
Filesize
688B
MD5110da9d3474ba64fa1a18c173685c25d
SHA19f093829518a9268bf9807fda7bef47e7832c497
SHA256a31dbd6f7416f150403c19be69f02d5e8608f5e7fae88a29831d40db15849b60
SHA512ef5fb4415fbd12e633ad964ca132ac3be81bfacd489db788b86fc7ef245d6f51bc08faecaf24874649d0c754b1892075a28042bf8483ab85b1996a25cfa57443