5fbdfe7519229372ef9d459b5ffdfefdc9c03578a90a84e8f729680bfa3fa228

Analysis

max time kernel
173s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 08:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ScriptBuzzBuzz 2.ps1
Size

805KB
MD5

4bd4a6fc1aae3870c3bb5c106a989da9
SHA1

8d36810464f51f919feb82895c8b20fa8f4b5630
SHA256

5fbdfe7519229372ef9d459b5ffdfefdc9c03578a90a84e8f729680bfa3fa228
SHA512

b4a9b617195daaa9e38f9a41b1fe32641c62282c01bb4eedac79fa58b31656ab5d13b05f92026d65a3e498d3d9172dff7e4efa9d6813097d0ddab2d2fb9922b8
SSDEEP

12288:yZbaVShXGjMH6AQg3KmgOwhS6tfbc8UdMPKBmANURqhd7myrUwdKe2G9Xu0T:yljXDnfaSoSajaMPKBRNUYTmeUbk9Xu2

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2136	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2136	powershell.exe
2528	powershell.exe
2528	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\ScriptBuzzBuzz 2.ps1"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e8aa27f43eb6ef6a13c22a39268009b

SHA1
0bfaa99e9dc86f2154f5a2e912bb58ca072602b2

SHA256
83319350c565402d98ebcfa8e5b2ee9559b0715a7a4bd5dbb71e45ea4aaa6582

SHA512
11b252f3d3beca91d5d24ddd25a5484a82548396f57648553494fb666a452b6ccbdb74091bcccb9f48372e0c7d951d13a420d6fe3c30f73daa78b9645967a84e

Download Submit
memory/2136-7-0x000007FEF6200000-0x000007FEF6B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2136-4-0x000007FEF64BE000-0x000007FEF64BF000-memory.dmp

Filesize
4KB

Download
memory/2136-8-0x000007FEF6200000-0x000007FEF6B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-10-0x000007FEF6200000-0x000007FEF6B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-11-0x000007FEF6200000-0x000007FEF6B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-9-0x000007FEF6200000-0x000007FEF6B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-12-0x000007FEF6200000-0x000007FEF6B9D000-memory.dmp

Filesize
9.6MB

Download
memory/2136-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2528-18-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2528-19-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2528-20-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2528-21-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download