Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 06:36
Behavioral task
behavioral1
Sample
0a79157ced6caf940a852fa5163f2e09.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a79157ced6caf940a852fa5163f2e09.ps1
Resource
win10v2004-20240426-en
General
-
Target
0a79157ced6caf940a852fa5163f2e09.ps1
-
Size
2KB
-
MD5
0a79157ced6caf940a852fa5163f2e09
-
SHA1
e4e2145e4dabe073e3437425c5eafc098c9cf3fd
-
SHA256
9fcf01850aba30ee520be8691bd97d9ae58b36ba689fcaace2cc218bb15f54ed
-
SHA512
0494f068a268671b2c71ea7d3321e1c7715b2781fcea79d9dbbdac0b2c0817c049806c270642e99a7ba666392a22e391d48281957e5f1551fe68dc175392e65e
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2192 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 2192 wrote to memory of 2568 2192 powershell.exe csc.exe PID 2192 wrote to memory of 2568 2192 powershell.exe csc.exe PID 2192 wrote to memory of 2568 2192 powershell.exe csc.exe PID 2568 wrote to memory of 2608 2568 csc.exe cvtres.exe PID 2568 wrote to memory of 2608 2568 csc.exe cvtres.exe PID 2568 wrote to memory of 2608 2568 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0a79157ced6caf940a852fa5163f2e09.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trxma8u1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D58.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2D57.tmp"3⤵PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c6a4d56655e6ee2a8bb84d517c9d08c4
SHA152356ffc9b06adad92f9c4d64ae3c81acfb5dfb3
SHA256376fa54886c8c85a39c7f41260333ae5887eeaa9852703d1664291b79bee8b0a
SHA512936be776caf8c256160a70fb463196001287c38cea1d138c424ac89d82e59e39862a17fbb4694bd14b8f5bc4c17206a8148b27dc428309d73ea4cae2b9e98275
-
Filesize
3KB
MD5059c7f71710970fe973286761e0f5177
SHA1f5733e74f4a7245f1bf7de66e5f1f5fc4d7ba028
SHA256da52c8f79f3314d5c067393c1acbcf6103882ec8e52630751d8abfeb87b3c5e8
SHA512521218f77f63ee4f4ef1c5e60c528be71b1ef3703df5658ce6b6cc38334e9683fcd50b701555582e79b4aa29a2555fa99a3cc6ee391f4033cb05e2cbe9535cc0
-
Filesize
7KB
MD5e8060745cfe4255919e1ec78a9d64310
SHA1c05749a44a70b27cfab485b7e16dcb00172e644e
SHA25603496ca7dbabe350fd76b93ca1dc2f63879bee92e70e8d02f62c9b9da0a13ebf
SHA512fa66d60cc57d65fd55d840709b581e35af2e8ded8c55f484c08c7e6e3e17bc5ddeec3288722c82f1e6b18e8bdf10fd1fd73aa7efc05235c0203d52aaf708d2eb
-
Filesize
652B
MD581e49f8086bbf7c29eb0939dc7826ed5
SHA1b6b443d5f24a9c81d74365482fade42cd0ea2295
SHA256d5f388b74135e0304f87280fde7f934be4ac2040377ad875a77c2e602a8f7ace
SHA512178a0e54085a9dc03a5efe5edcb753fc43b832d59658283e2c0dbe5c709fe7631f4523b0d27cb601cef5cf63433722f38d33af641c1366f3cf9f3d407ca273ea
-
Filesize
557B
MD57319070c34daa5f6f2ece2dfc07119ee
SHA1f26a4a48518a5608e93c8b77368f588b0433973c
SHA256b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA51234169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd
-
Filesize
309B
MD58d29e9f2e8442dcecb7a65da3bf5c405
SHA15c979038a76dbdb0db968ea8c5591a8f04daa93b
SHA2569bc6239349374e6c346b752cffbffdb3c8815cceed4bf692051aeba4e6f6ded9
SHA512e0ee8545c33058ab2ec9fed7a4b351bb36bb3a750b499ec65dff658250c414f76dddbdfe6470c2717e2e756ae7e206329d75f14dd5bfdb1e215453b548267b79