Overview

overview

10

Static

static

3

windows_up...le.ps1

windows7-x64

1

windows_up...le.ps1

windows10-2004-x64

10

windows_up...le.vbs

windows7-x64

8

windows_up...le.vbs

windows10-2004-x64

8

fresh.exe

windows7-x64

10

fresh.exe

windows10-2004-x64

10

windows_up...er.cmd

windows7-x64

1

windows_up...er.cmd

windows10-2004-x64

10

windows_up...er.ps1

windows7-x64

1

windows_up...er.ps1

windows10-2004-x64

10

windows_up...rs.ps1

windows7-x64

1

windows_up...rs.ps1

windows10-2004-x64

1

windows_up...ad.ps1

windows7-x64

1

windows_up...ad.ps1

windows10-2004-x64

10

windows_up...te.cmd

windows7-x64

1

windows_up...te.cmd

windows10-2004-x64

windows_up...te.vbs

windows7-x64

8

windows_up...te.vbs

windows10-2004-x64

8

windows_up...ad.cmd

windows7-x64

1

windows_up...ad.cmd

windows10-2004-x64

10

windows_up...ad.vbs

windows7-x64

8

windows_up...ad.vbs

windows10-2004-x64

8

windows_up...ws.cmd

windows7-x64

1

windows_up...ws.cmd

windows10-2004-x64

10

windows_up...ws.vbs

windows7-x64

8

windows_up...ws.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 07:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows_update/file.ps1

  • Size

    13.0MB

  • MD5

    20788a06a96ae4d92417ace4661d559a

  • SHA1

    239d40f67c27ae2e70c698237a3b27401ef5d37a

  • SHA256

    8cc2612a8d44d4aebad26bd6ea254ad25f959497391ccfff127a56fad42eb4d5

  • SHA512

    c3bcb3bbf117a933738a85590cf98f0fbd7f995c2b5a559850f089111aac87a774c42110da4237f31bd49a9d7ae2751d77eb3f72aac130c81163c13d58383511

  • SSDEEP

    49152:QZuX/CRIRerx1exkxTf0i0vcfo/wFlAPp5Bl0jNlD33oi:

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows_update\file.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2468-4-0x000000001B670000-0x000000001B952000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2468-5-0x00000000029E0000-0x00000000029E8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2468-6-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2468-7-0x0000000002C80000-0x0000000002D00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2468-8-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2468-9-0x0000000002C80000-0x0000000002D00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2468-11-0x0000000002C80000-0x0000000002D00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2468-10-0x0000000002C80000-0x0000000002D00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2468-12-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2468-13-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2468-14-0x0000000002C80000-0x0000000002D00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2468-15-0x0000000002C80000-0x0000000002D00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2468-16-0x0000000002C80000-0x0000000002D00000-memory.dmp
    Filesize

    512KB

    Download