Overview

overview

10

Static

static

3

Commande N...on.exe

windows7-x64

10

Commande N...on.exe

windows10-2004-x64

3

unvolubly/...ng.ps1

windows7-x64

8

unvolubly/...ng.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    unvolubly/Langtrkkendes/Pelletising.ps1

  • Size

    56KB

  • MD5

    19779840eecfc141420a08cb9a741962

  • SHA1

    0f0a168bc292914da146f667557ff5f07b0f5ae5

  • SHA256

    de1fc8dc64b49c5ae8c2c9c45e7dd4d2aa154f845e99a8e8fa08b5abf23d38a7

  • SHA512

    d3be08e433f93bafc5d53ea6e91c53e01d755bf1c61e4006aa184da35644b343bd72d0ddbee9820db107c2df212dc4a51a4e06ebf3cf6c1e45ed250f2b383723

  • SSDEEP

    1536:M2JnexhWTLwrzAPNCVjXRFnhoMMesE5FxGFlAqfq+7:MGghWPwrMeh9b2ELxGFl77

Score
8/10
persistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\unvolubly\Langtrkkendes\Pelletising.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
      2⤵
        PID:2488
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "1968" "1092"
        2⤵
          PID:2500
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2408

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259399955.txt
        Filesize

        1KB

        MD5

        4e264847a038187c204b957769e8f556

        SHA1

        89b5eacceb276a3b4df2eb3d34858abdc4a0425e

        SHA256

        ba1c57342270fde8e8fc418de88921a5943b505461aa88f13bda7e169bae6175

        SHA512

        5ffb1d912def17c31f7a6108a55a94a6e11685711905a3807c208a23975c114d63b1bc6edf5850e337a469de65a4cd94e6b2a7ecd38b88aaaf4158679e322af8

        Download Submit

      • memory/1968-5-0x0000000001E80000-0x0000000001E88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1968-14-0x000000001BC10000-0x000000001BC14000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1968-4-0x000000001B510000-0x000000001B7F2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1968-8-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1968-9-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1968-10-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1968-12-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1968-6-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1968-7-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1968-16-0x00000000029C0000-0x0000000002A40000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1968-17-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2408-18-0x00000000042F0000-0x00000000042F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2408-19-0x00000000042F0000-0x00000000042F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2408-23-0x00000000029C0000-0x00000000029D0000-memory.dmp

        Filesize

        64KB

        Download