Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 20:41
Behavioral task
behavioral1
Sample
0a79157ced6caf940a852fa5163f2e09.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a79157ced6caf940a852fa5163f2e09.ps1
Resource
win10v2004-20240426-en
General
-
Target
0a79157ced6caf940a852fa5163f2e09.ps1
-
Size
2KB
-
MD5
0a79157ced6caf940a852fa5163f2e09
-
SHA1
e4e2145e4dabe073e3437425c5eafc098c9cf3fd
-
SHA256
9fcf01850aba30ee520be8691bd97d9ae58b36ba689fcaace2cc218bb15f54ed
-
SHA512
0494f068a268671b2c71ea7d3321e1c7715b2781fcea79d9dbbdac0b2c0817c049806c270642e99a7ba666392a22e391d48281957e5f1551fe68dc175392e65e
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1704 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1704 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 1704 wrote to memory of 2692 1704 powershell.exe csc.exe PID 1704 wrote to memory of 2692 1704 powershell.exe csc.exe PID 1704 wrote to memory of 2692 1704 powershell.exe csc.exe PID 2692 wrote to memory of 2852 2692 csc.exe cvtres.exe PID 2692 wrote to memory of 2852 2692 csc.exe cvtres.exe PID 2692 wrote to memory of 2852 2692 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0a79157ced6caf940a852fa5163f2e09.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i0gkdfyb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90DB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC90DA.tmp"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES90DB.tmpFilesize
1KB
MD51bc8ffda51adcc598c43492647dc1507
SHA1eb0f145d29ffab8969b576783409c57d5667aaeb
SHA256fd62b0bfb515d8002b3e3bb1ec8a0dbba53b9d2f3e56ee172b9915d47067e742
SHA5123741307ebf5d82280e1b70acb4a8dc3ce6f18329f1dde034ab087539e34664ef399299e018ed4124fff343e5a37d63738c69cbcfdc927a0975d6449b40b873f2
-
C:\Users\Admin\AppData\Local\Temp\i0gkdfyb.dllFilesize
3KB
MD59f72a882cf5fe7097a482fbf2c761a75
SHA1bbdcdbe2f9e86dbceb186797e9ba685fe9607016
SHA2561e27d6f6b028dd0b1a71960b769ded4395f8fed0dda2cae3bcfc681edd150152
SHA512be996b198e0145adc58fffafd88beeec6f30198e582e99c7d2798fb7a60115c2896b92f2ff9c7706eebc99dfe3c4f8dfd410978679d83c3ced72f671eb311702
-
C:\Users\Admin\AppData\Local\Temp\i0gkdfyb.pdbFilesize
7KB
MD5769b9ea154d7f7d42a4c16d801e179f1
SHA15483cb42ff77a428f825ed7e774ad21c11f3f47c
SHA256355184f96709eab6ef11132a1194f85c986eeb5735120b29247fa38ca7cbe9a9
SHA5126efa10747ab14ade19e7c1d989c0f4a031fc69a3a15648daede8765b822880b2fe5ef5cfcc96a5f9ee45e2ca476bee2e197eb3e3bed65e64365371128cd1ca0d
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC90DA.tmpFilesize
652B
MD59bcbed3f2807dbd9cc293114bdbfbc80
SHA19390f160c7456b800a3c6c64140b7f56b479babd
SHA2568401f1ebfd39f26fa43c861a31108c7b19988547c5106dfe7e808c8870effc4b
SHA512ae0d59c164afd0e69bd7dee47228527d72b1457aac70f0a4a2c97722313a171b6c5afa524ca11363692d32c85becec4ff918cabca09978e59742ac5083bb0fa8
-
\??\c:\Users\Admin\AppData\Local\Temp\i0gkdfyb.0.csFilesize
557B
MD57319070c34daa5f6f2ece2dfc07119ee
SHA1f26a4a48518a5608e93c8b77368f588b0433973c
SHA256b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA51234169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd
-
\??\c:\Users\Admin\AppData\Local\Temp\i0gkdfyb.cmdlineFilesize
309B
MD52822815d688dbea05ea0b861e69db1dc
SHA10fff870964fdfcb97906d8d19bc0e90b41443a86
SHA256538bc1adc54b56b5e2a24441fe82f3964cafeb6b2bb894a8adb61e5091716efe
SHA51220e55c208a8da8d8f443fcc7086af2a29bd7ce112427fb1da4bd7d825d7e60d5b3290a71d5dcbe23cd74a31864420993a75c69fc6def4a4dde6b83f840b3dc7d
-
memory/1704-9-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/1704-31-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB
-
memory/1704-10-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/1704-4-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmpFilesize
4KB
-
memory/1704-11-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/1704-5-0x000000001B350000-0x000000001B632000-memory.dmpFilesize
2.9MB
-
memory/1704-8-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/1704-7-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/1704-27-0x00000000027E0000-0x00000000027E8000-memory.dmpFilesize
32KB
-
memory/1704-6-0x0000000001E60000-0x0000000001E68000-memory.dmpFilesize
32KB
-
memory/1704-33-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/1704-30-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/1704-32-0x0000000002980000-0x0000000002981000-memory.dmpFilesize
4KB
-
memory/2692-17-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB
-
memory/2692-25-0x000007FEF57D0000-0x000007FEF616D000-memory.dmpFilesize
9.6MB