Analysis
-
max time kernel
136s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
16/11/2023, 02:01
Static task
static1
Behavioral task
behavioral1
Sample
16112023_1001_T2.jpg.ps1
Resource
win7-20231020-en
General
-
Target
16112023_1001_T2.jpg.ps1
-
Size
327KB
-
MD5
36d751d4b6588d6915fe1e79fd99eb51
-
SHA1
e601561d27298ee6431b620d693dcc78c7034aa1
-
SHA256
47f11e01187fdda999732db919d3cb2b37a114411328f6544871234456f8966b
-
SHA512
5c0de7d5d168a0e7ce98f14c8bba9bb0e2549d8635d17d8221ac64e5bbcb7b27f001e1e4dc14d53ac199a00c181a3a655224f5fb0a793e5f1292528b8eb3eeff
-
SSDEEP
3072:Pi/NYZjEZCRta6vQN62i5d7jDUisDCyXMhnau+dKEQNhXigT5ncPkGByPpwRNXTQ:gyv
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2192 powershell.exe 2640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2772 2624 taskeng.exe 32 PID 2624 wrote to memory of 2772 2624 taskeng.exe 32 PID 2624 wrote to memory of 2772 2624 taskeng.exe 32 PID 2772 wrote to memory of 2672 2772 WScript.exe 33 PID 2772 wrote to memory of 2672 2772 WScript.exe 33 PID 2772 wrote to memory of 2672 2772 WScript.exe 33 PID 2672 wrote to memory of 2640 2672 cmd.exe 35 PID 2672 wrote to memory of 2640 2672 cmd.exe 35 PID 2672 wrote to memory of 2640 2672 cmd.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\16112023_1001_T2.jpg.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
C:\Windows\system32\taskeng.exetaskeng.exe {A751D231-E90E-4A17-A5BE-76F0ACF34ABF} S-1-5-21-1154728922-3261336865-3456416385-1000:TLIDUQCQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\libraries.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\libraries.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\libraries.ps1'"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\538XWOMD7KIJ1VI0HY80.temp
Filesize7KB
MD50c7b7f86b4a2885f7019bcf1ee207c46
SHA19edf52d329c3a674ae4d7062ad4d7c428d3a94b5
SHA256bb27416b6175d11959e25675c7aebb0080c11b4b7f253bf926be3b93b7ce2cb5
SHA51269e2c26708c63780e593e5158f49b03fccd9ba5950147677e3db9c2c755c14505e29b8507bec6f53b567046aad02f90ebe3f65570e30e25c5794bfe90f5b2cd4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5aca36eac26e2ccc8cb48d3b3869beaba
SHA19b0df50cd9b6eaa4bd244a5735097c627a95fda2
SHA256773aa3c44c6c70859f219338fc6047362551f312bf0e86b11af58229cab3f544
SHA5122c32408a78478beb485378b4b2e276bd296ab4d017c4dbdd81891b71c81ac99b2caf89bb9d48973c8786d7c16e0c43ee95ab661a3240f31d83e43491d97727c4
-
Filesize
210B
MD5440e905a6fcf6bcc0ffe763896e21044
SHA189bf89ca871095dd7431147a4e0c993bfdba897e
SHA256aae3e34c1f6bf5eaf7c91afec528d24ac1b10272705be506653b29df17d6e834
SHA512f324dbff528e9579f81af84c09ab45ef87cd8e516cb22a5f99e432d4d1ca528f3e5d8f7a1f479076a89c18cd44bbaa10df4f6a1fcdc3fe8937febadb892d89fd
-
Filesize
326KB
MD5d253b8760d01942b6f0cf89884d8ce6f
SHA1f5c10af0337c62aaf7403fb88cfe5671ef317d56
SHA2561c2e5ff87905fd9a30d3498c37374bcb9944caaf229dd8d9d85ffa25d3ab3ae4
SHA51277049aaa93bcba3a101b0f93571b3b633c2b98876655e63ba427219eb20fe7256f500edad9b840494ccddb5ca55f9baa8eec36020f099887fec86e4feadb8782
-
Filesize
691B
MD5882c260115cfacc236251d065cc23c4c
SHA1cee58dd936e493370224db57ca49c4d6c0cbfeff
SHA2561d1595fdd363891dd2d9d081059b2dcbca1edc72c80b6c637436a9090ba2564a
SHA512d1279bcc0150ba96164445a98fdb5ff5ef6cde81460af71612ee0f0a7ac8155f9d3a73aa26ccb53a9da6493e078aef42e20ca26011f0f5aa855f5ced61236641