8008c585f318087f216d9d635b4073e162c2176c1ca174cac7a5e6d59bdbdafa

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file01.ps1
Size

400B
MD5

13a74bcb50f0f5bbc6b4e744530d99d0
SHA1

2132e6c9e95ac82e4d5f2c4fb837e2768da41385
SHA256

8008c585f318087f216d9d635b4073e162c2176c1ca174cac7a5e6d59bdbdafa
SHA512

c6e0182536fef3b84ff3f94aede77dfddd66a0f4da71b0e47a05abcc7663898282619ff9fd997b6cb44385a4f56fff3f3b5d467dce89eaf7360638d31c805c51

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1916	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1916	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2696	1916	powershell.exe	29
PID 1916 wrote to memory of 2696	1916	powershell.exe	29
PID 1916 wrote to memory of 2696	1916	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\miwq1ayr.cmdline"
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Users\Admin\AppData\Local\Temp\miwq1ayr.0.cs

Filesize
186B

MD5
f46be35fe83f82c629d5e6753eb00266

SHA1
e91ce0521b0b107aceec1baaf062cd8ef023de81

SHA256
9680e34de338762327b966cf8b12cc97336324c3a30101e9c87822abb5eac691

SHA512
8424c967957f8b747dd408997038bd3f7ef2160308d229efe16113c2492cd0c15fb328ac9c7a8e0cf6d72672c0458a4cac7e6aef2c64298f4acf4ff93b8ecf9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\miwq1ayr.cmdline

Filesize
309B

MD5
b82bfce616aceab10b5c71caa57ae4c0

SHA1
8737632510c818d75c141dbc4ad7b497ff390167

SHA256
2ef18acf87b38e3ba2b54a2b09ff57febf48a8ea626bcea97a785a78ad5c05f6

SHA512
496a73bc738bc2eb87522da016f0dce24d276f194f7eb27ed6c1f9f06bed7fc7ac1ca77f601fa616ebf509c685c215885973bdf6e819e72015ed03d89e9a125f

Download Submit
memory/1916-4-0x000007FEF5F9E000-0x000007FEF5F9F000-memory.dmp

Filesize
4KB

Download
memory/1916-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1916-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1916-7-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-8-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-9-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-14-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-18-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Filesize
9.6MB

Download