Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 11:40
Behavioral task
behavioral1
Sample
p.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
p.ps1
Resource
win10v2004-20240426-en
General
-
Target
p.ps1
-
Size
3KB
-
MD5
de0a2d4a5b8f316d6587a30da16063e2
-
SHA1
2c908516a15a6ffbb6668d111465a564cf97a608
-
SHA256
a07444d7955d03e97f1643050cca78054035d2edd4a7d59e4ffb700b2be3f991
-
SHA512
065287eab4fff87a1c91152d261cd7865bae933cf1565514653c5b57b5bf5e8c8dfd78b189f0c339976ee3e90a2713f587b1d524e4d4f798057f746dc6413980
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 3 2500 powershell.exe 7 2500 powershell.exe -
Processes:
powershell.exepowershell.exepid process 2312 powershell.exe 2500 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2312 powershell.exe 2500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.exedescription pid process target process PID 2312 wrote to memory of 2500 2312 powershell.exe powershell.exe PID 2312 wrote to memory of 2500 2312 powershell.exe powershell.exe PID 2312 wrote to memory of 2500 2312 powershell.exe powershell.exe PID 2312 wrote to memory of 2500 2312 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\p.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CT0XRUPP30DE2DFCDUGW.tempFilesize
7KB
MD5926549a8beea9894b6da75f2f31573c5
SHA174fdcfd812eb55c1f4f048e42aa2a2865fc535ce
SHA256ca5744a3337f884f25a8c7bf592977635e61cbab47548b18f58992765c769320
SHA512dc9cdfbe78529465f44497bb37f5c4227cda0cf5070699bc5cf494172491718a17e549c8b0833ea3856637551319891e6ef93ef3319975108c81a6e9f1ef7c58
-
memory/2312-12-0x0000000002A20000-0x0000000002A52000-memory.dmpFilesize
200KB
-
memory/2312-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-13-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-11-0x0000000002A20000-0x0000000002A52000-memory.dmpFilesize
200KB
-
memory/2312-6-0x0000000002590000-0x0000000002598000-memory.dmpFilesize
32KB
-
memory/2312-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmpFilesize
4KB
-
memory/2312-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-5-0x000000001B300000-0x000000001B5E2000-memory.dmpFilesize
2.9MB
-
memory/2312-16-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-17-0x000007FEF628E000-0x000007FEF628F000-memory.dmpFilesize
4KB
-
memory/2312-18-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-19-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-20-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB
-
memory/2312-23-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmpFilesize
9.6MB