Overview

overview

10

Static

static

1

xt.png.ps1

windows7-x64

3

xt.png.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 05:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xt.png.ps1

  • Size

    712KB

  • MD5

    8bc95d2d1480070e0cccb017799b7b46

  • SHA1

    868023685bbcd9308b2c0df2aa8bd9ff87054c89

  • SHA256

    1cf135e1f7c5574ed17b6dd7a55406d9f7645cedc44dc400cb90782b1381b321

  • SHA512

    95b105024fe1477dd6e063cbae74ddc312b3a11637d633dd3dd546ec1711b38b49610819388fad3cae4f9ece17a249040d2f955c1ab378e24dbad2bca576a412

  • SSDEEP

    12288:9+x48PQ0D1VF5sh0cxArBhOmg1xHxR3C3rfLG48K:9848PQ0D1b53cxAYK

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xt.png.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\OSRSEBJUUOBALHKLTGXZHU.ps1'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\OSRSEBJUUOBALHKLTGXZHU.ps1
    Filesize

    710KB

    MD5

    3739e5fbe64bf7f544d6bd9caecec20e

    SHA1

    2007e966e3b3b41de5693035a526e1610ab08e73

    SHA256

    8bd1d3957449dba51f31bc1847a58b9f91a72d8899de053b0cd9f796262fc161

    SHA512

    300df7b9ede0ea99a769795fd6243ec00843ab82231daf11ef3c39a666643de6387327e684b5a78891c0ebf5ee105f5724117734a475093ac85b41f1236cbf42

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    e64188316c57f24b17ddc357b3734927

    SHA1

    19c3e7fd48f3a7d9b1e8183ef641d9ecebd6a776

    SHA256

    01b18a93ce49d869e21f6a7ecde2400168f08b00ae1dd3ea8d42a7c6db3043ed

    SHA512

    e30667e7c7666f4564aafcba6656e0fcd2e96ff36b16cc751f7aa4ba055a9a2db77fe7fe59900f358acd59bcd64fdab4c12b2add12269af43dd6d0eed700cc37

    Download Submit

  • memory/2108-4-0x000007FEF571E000-0x000007FEF571F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2108-5-0x000000001B580000-0x000000001B862000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2108-6-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2108-8-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2108-7-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2108-9-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2108-20-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2424-17-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2424-19-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp

    Filesize

    9.6MB

    Download