760b99362ec0a00b18dcd298c8a684b156f5af180b606a8d5c660a05d2d0b645

General

Target

test.ps1
Size

1KB
MD5

09e2c59da57ed984a09ff11dc442b029
SHA1

49b85d8cfe08b4d7cc7e077125339fc599191ae7
SHA256

760b99362ec0a00b18dcd298c8a684b156f5af180b606a8d5c660a05d2d0b645
SHA512

578d59b5f3d09de043200eed4186f360aa0cca4cca902ff5efb32f7e7ef250ea091c395d995d910ad1245158eaf52d163e0ea713d4830f4142ccca4670d4d0fb

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
372	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4928	WINWORD.EXE
4928	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
372	powershell.exe
372	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4928	WINWORD.EXE
4928	WINWORD.EXE
4928	WINWORD.EXE
4928	WINWORD.EXE
4928	WINWORD.EXE
4928	WINWORD.EXE
4928	WINWORD.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\test.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1512

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyjztzg1.pek.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
add56ec49f8f478e84a934606effef1c

SHA1
1262ae87ef755e40752740df90d21352d5fc81ec

SHA256
22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327

SHA512
c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1

Download Submit
memory/372-0-0x00007FFFD8E43000-0x00007FFFD8E45000-memory.dmp

Filesize
8KB

Download
memory/372-10-0x00000201A5F40000-0x00000201A5F62000-memory.dmp

Filesize
136KB

Download
memory/372-11-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

Filesize
10.8MB

Download
memory/372-12-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

Filesize
10.8MB

Download
memory/372-15-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp

Filesize
10.8MB

Download
memory/4928-24-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-25-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-20-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-19-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-22-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-21-0x00007FFFF6DCD000-0x00007FFFF6DCE000-memory.dmp

Filesize
4KB

Download
memory/4928-23-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-18-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-28-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-27-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-26-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-17-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-29-0x00007FFFB4CC0000-0x00007FFFB4CD0000-memory.dmp

Filesize
64KB

Download
memory/4928-30-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-31-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-32-0x00007FFFB4CC0000-0x00007FFFB4CD0000-memory.dmp

Filesize
64KB

Download
memory/4928-33-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4928-16-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-75-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-74-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-76-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-77-0x00007FFFB6DB0000-0x00007FFFB6DC0000-memory.dmp

Filesize
64KB

Download
memory/4928-78-0x00007FFFF6D30000-0x00007FFFF6F25000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads