Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/06/2024, 04:33

General

  • Target

    trigger.ps1

  • Size

    5KB

  • MD5

    1283a8dda20a7ee0d95bfb4137aca449

  • SHA1

    522172f47a541b5951085e276a0a0afba1a541c0

  • SHA256

    8fa77a5d324e475122b5d41cbec41632fcc5176765cee9e44beb94b65d95a3cb

  • SHA512

    c9f47c8e1290cea48725e4bf87622dbc507f65a3953ef32bdc72416f1a7065bb6537734cf96f9817a83ce1932496257f98bd98a45ff19d6d829e047a6616f26f

  • SSDEEP

    96:iy9RoMdK9QDoiIcnG+BUy0Y5nO+GKTZ3enFOoS+4grynmXVRhXaBk:nkWi9Ef5nOpKtkO5sQmABk

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2288
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:2560
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3168
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:4540
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
        PID:2980
      • C:\Windows\System32\ATBroker.exe
        C:\Windows\System32\ATBroker.exe /start osk
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1428
        • C:\Windows\System32\osk.exe
          "C:\Windows\System32\osk.exe"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:2664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

        Filesize

        10KB

        MD5

        9a7af7f1f08f7de9da3ba647286ee5a6

        SHA1

        d7a23961ba5f8c4242a03f20686ff516c2ae432c

        SHA256

        dddc3d322b46ec53927c26326a4f4d573dec131fbe668450f984c91c3104a08b

        SHA512

        64b0d94e68aa2d0ee9d02f170de6989f5255c5c57d05dffbf4dbbe012dae43a6f4dbd59c6a85fd2621fb84ae7f4cdf486a089b90e3e6c4fce1b152ba5aa6ba58

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqy3cebd.eru.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/2288-0-0x00007FFB5D213000-0x00007FFB5D215000-memory.dmp

        Filesize

        8KB

      • memory/2288-1-0x0000019251510000-0x0000019251532000-memory.dmp

        Filesize

        136KB

      • memory/2288-10-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

        Filesize

        10.8MB

      • memory/2288-11-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

        Filesize

        10.8MB

      • memory/2288-12-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

        Filesize

        10.8MB

      • memory/2288-16-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

        Filesize

        10.8MB

      • memory/2288-15-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

        Filesize

        10.8MB