Analysis Overview
SHA256
54599fe26158d6212c14b761be090ec3b92def9bf3a582d4499b3ad58e69e169
Threat Level: Likely benign
The file infected.7z was found to be: Likely benign.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-08 07:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 07:13
Reported
2024-06-08 07:15
Platform
win10v2004-20240508-en
Max time kernel
32s
Max time network
33s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\meeting invitation.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
Files
memory/4588-0-0x00007FFD3E633000-0x00007FFD3E635000-memory.dmp
memory/4588-1-0x0000026C0E270000-0x0000026C0E292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dj0sf5w4.jfa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4588-11-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmp
memory/4588-12-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmp
memory/4588-13-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmp
memory/4588-16-0x00007FFD3E630000-0x00007FFD3F0F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 07:13
Reported
2024-06-08 07:14
Platform
win11-20240508-en
Max time kernel
44s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\meeting invitation.ps1"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
Files
memory/4852-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z43fsxvc.elo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4852-9-0x00000188B6EE0000-0x00000188B6F02000-memory.dmp
memory/4852-10-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-15-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | cd56e155edf53e5728c46b6c9eb9c413 |
| SHA1 | 14b1b0f090803c9ee39797aed4af13dc7849566d |
| SHA256 | 70a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a |
| SHA512 | a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 3569ff1aa5310102ef02c312ca4dbe9a |
| SHA1 | 4124b1e805d5c487bf86182d19ed22bed6cf44ac |
| SHA256 | 3ce1168408eb889f65cd4d45c12c58842a4291356c835cfb1877d017b6768a9b |
| SHA512 | c966ebf69abce51aa4fbec1e53f43485786cbeb5fb6cea18eb3407b7d4c7a212a6843b69965de9f577c483c6139840d0f7fe56d69fc8c97e6b0884b75b7aed8d |