Overview

overview

10

Static

static

10

c714df0154...a6.ps1

windows10-1703-x64

5

c714df0154...a6.ps1

windows7-x64

5

c714df0154...a6.ps1

windows10-2004-x64

5

c714df0154...a6.ps1

windows11-21h2-x64

5

Resubmissions

08-06-2024 10:45

240608-mtjpaabg98 10

01-06-2024 18:22

240601-w1dlaabf49 10

Analysis

  • max time kernel
    193s
  • max time network
    285s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-06-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6.ps1

  • Size

    1KB

  • MD5

    b5b20e03ae941e9f21c444bd50225c41

  • SHA1

    b27d291596cc890d283e0d3a3e08907c47e3d1cc

  • SHA256

    c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6

  • SHA512

    d3c1c01667de2f56f3017ce4d57c3cadd3a32c4df2c38da4565668840d59f7f42a3a0446893493bf4ba2013ef16f3c7901811677de2688951977e5518d02fa93

Score
5/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c714df0154f2b6fc8a82aa35281836c664bd3fbf4be3efc7e8b5b94ac87fc0a6.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand cABvAHcAZQByAHMAaABlAGwAbAAgAC0AdgAgADIAIAAtAG4AbwBwACAALQBOAG8ATABvAEcAbwAgAC0AbgBvAG4AaQBuAHQAZQByAGEAYwB0AGkAdgBlACAALQBDAG8AbQBtAGEAbgBkACAAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABhAGQAbQBpAG4AXwBpAG4AdABlAGwAaQB0AGUAYwBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAGwAZAAuAGUAeABlACcAIAAtAE4AbwBOAGUAdwBXAGkAbgBkAG8AdwAgAC0AVwBhAGkAdAA=
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -v 2 -nop -NoLoGo -noninteractive -Command Start-Process -FilePath C:\\Users\\admin_intelitec\\Downloads\\ld.exe -NoNewWindow -Wait
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    c6b0a774fa56e0169ed7bb7b25c114dd

    SHA1

    bcdba7d4ecfff2180510850e585b44691ea81ba5

    SHA256

    b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

    SHA512

    42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    8b8898e3ae10b1b430a3e427076a471b

    SHA1

    d19d104c049c3241b1a264560836eb51ed6b90b0

    SHA256

    d39dfe4dc878805b5a6826f19fa7fca0067f271ed7b2c2c7dcda245902172077

    SHA512

    ae71bcd2a572e11e160823470869d5b0d686996753942eb4bc4963b38b62c2f741caa78bde6cd6ee36ef9d423890c82ace871bf297631a284343678b5f829cb7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o5e0ufwn.dpq.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/204-5-0x0000016AC30E0000-0x0000016AC3102000-memory.dmp

    Filesize

    136KB

    Download

  • memory/204-8-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/204-9-0x0000016AC32E0000-0x0000016AC3356000-memory.dmp

    Filesize

    472KB

    Download

  • memory/204-10-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/204-31-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/204-125-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/204-4-0x00007FFBBEEE3000-0x00007FFBBEEE4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3020-39-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3020-120-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3020-48-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3020-36-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4280-57-0x000002081F060000-0x000002081F068000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4280-55-0x0000020837B20000-0x0000020837E02000-memory.dmp

    Filesize

    2.9MB

    Download