969d916fceda1849b5f31b4acae5b36fa2607607b711442e26b0b8460fa014c9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

target.ps1
Size

147B
MD5

41af4ecabc203fecdf91680ad38c9d40
SHA1

cdc119a300de90c2284080cdae78ebd3ec915793
SHA256

969d916fceda1849b5f31b4acae5b36fa2607607b711442e26b0b8460fa014c9
SHA512

9f4fa2898c4e27b0b56b750fb12a413e7d3cfadb0e77c6d1038017f2561410d52fef943440b8a22e92eedc4264c14b10264eaf8a429d0b8cf507193a3f7ade13

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2300	powershell.exe
1648	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1648	2300	powershell.exe	29
PID 2300 wrote to memory of 1648	2300	powershell.exe	29
PID 2300 wrote to memory of 1648	2300	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command = New-Object System.Net.WebClient
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B2W23WPAG6FBRR9S8YQW.temp

Filesize
7KB

MD5
a5db8f174d0286d3fd6bea30ae2f64e4

SHA1
f11e6e689c12b974562a9f0ba7f1dfea1850e599

SHA256
df66541acce4aed99e68acd76bfba6ea55a200a87c922b65929cee95209e3ada

SHA512
c20293bfb09c144f940e8ccccfc9ec713dfbded2354db3e84d49a806020c3e10795f4e97e0037035043ac9939e74c405f179804ab03b526764205190dfe65a48

Download Submit
memory/1648-18-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1648-22-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-19-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-17-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/1648-21-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1648-20-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/2300-7-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2300-4-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2300-6-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-23-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-11-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2300-10-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2300-9-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2300-8-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

Filesize
9.6MB

Download
memory/2300-5-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download