a07444d7955d03e97f1643050cca78054035d2edd4a7d59e4ffb700b2be3f991

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

p.ps1
Size

3KB
MD5

de0a2d4a5b8f316d6587a30da16063e2
SHA1

2c908516a15a6ffbb6668d111465a564cf97a608
SHA256

a07444d7955d03e97f1643050cca78054035d2edd4a7d59e4ffb700b2be3f991
SHA512

065287eab4fff87a1c91152d261cd7865bae933cf1565514653c5b57b5bf5e8c8dfd78b189f0c339976ee3e90a2713f587b1d524e4d4f798057f746dc6413980

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

3 2500 powershell.exe
7 2500 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2312 powershell.exe
2500 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2312 powershell.exe
2500 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2312 powershell.exe
Token: SeDebugPrivilege 2500 powershell.exe

flow	pid	process
3	2500	powershell.exe
7	2500	powershell.exe

pid	process
2312	powershell.exe
2500	powershell.exe

pid	process
2312	powershell.exe
2500	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2312 wrote to memory of 2500	2312	powershell.exe	powershell.exe
PID 2312 wrote to memory of 2500	2312	powershell.exe	powershell.exe
PID 2312 wrote to memory of 2500	2312	powershell.exe	powershell.exe
PID 2312 wrote to memory of 2500	2312	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\p.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CT0XRUPP30DE2DFCDUGW.temp
Filesize
7KB

MD5
926549a8beea9894b6da75f2f31573c5

SHA1
74fdcfd812eb55c1f4f048e42aa2a2865fc535ce

SHA256
ca5744a3337f884f25a8c7bf592977635e61cbab47548b18f58992765c769320

SHA512
dc9cdfbe78529465f44497bb37f5c4227cda0cf5070699bc5cf494172491718a17e549c8b0833ea3856637551319891e6ef93ef3319975108c81a6e9f1ef7c58

Download Submit
memory/2312-12-0x0000000002A20000-0x0000000002A52000-memory.dmp

Filesize
200KB

Download
memory/2312-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-13-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-11-0x0000000002A20000-0x0000000002A52000-memory.dmp

Filesize
200KB

Download
memory/2312-6-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2312-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2312-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-5-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2312-16-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-17-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

Filesize
4KB

Download
memory/2312-18-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-19-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-20-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2312-23-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download