Overview

overview

8

Static

static

1

code.ps1

windows7-x64

8

code.ps1

windows10-2004-x64

7

Analysis

  • max time kernel
    430s
  • max time network
    381s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15/07/2024, 13:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    code.ps1

  • Size

    5.4MB

  • MD5

    a47bf2391614bf4e994bcb9e0bceeb10

  • SHA1

    5610b866d5edfda50f25de183c5a35d3c36d92b5

  • SHA256

    7526dc4fa9ae0abff965b74756151f956cf0d43616bc4d2b9e4629b41be5fb0d

  • SHA512

    244a952393749820ac5f65225d469c12e0c0dd1f734b7f9d6852318b55b1e74f6a0edb6abd1ef99364fac2a1cbbd2eb276212500545448216f796f21d764a908

  • SSDEEP

    12288:JRaqCoQNkn0cIGblCCIKf7sNPChAocUSqcqz8zfO8/rBpAC+F6GKb/5Vo1IGJKF:JRd0q0cIGbl5IKOPChy/qz8FYdWOI4KF

Score
8/10
executionpersistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
        PID:2468
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\code.bat" "
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\system32\findstr.exe
          findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\code.bat"
          3⤵
            PID:2480
          • C:\Windows\system32\cscript.exe
            cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
            3⤵
              PID:2344
            • C:\Users\Admin\AppData\Local\Temp\x.exe
              C:\Users\Admin\AppData\Local\Temp\x.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2896
              • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:2600
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 2896 -s 648
                4⤵
                • Loads dropped DLL
                PID:1992
          • C:\Windows\SysWOW64\findstr.exe
            "C:\Windows\SysWOW64\findstr.exe"
            2⤵
            • Adds policy Run key to start application
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:2684

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\x
                Filesize

                4.5MB

                MD5

                7eb97db6a8eaadec9df12470b18ecbc1

                SHA1

                cc8c8ebe12f4bb0f031d71812dd512f167aa7eca

                SHA256

                3e643767546937b58a16ff6b2e47d4913239e54d32274d5d09e4096ed1c6d805

                SHA512

                e3623685157e1afa5b83391d2e23abeb67fa0505482961726496356d5fe6db14874f868931f19153a0120150bd798bf14e7adadc264de8292d391edecd3c1536

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\x
                Filesize

                4KB

                MD5

                74a785f855123a6080c65527caa6fafa

                SHA1

                abde85b4564fde134ff5cc567603fca671d7aed6

                SHA256

                fe84a305325733970297aa7c74cca2c759fb381c634ea7abe8eece67ff2b5c7e

                SHA512

                e151ab239c0eb04bf959081645175f049ce7d613c9bfef8e467abad4d65703db50e2b055cb2d0671cf988a1361c201ae58c0d6383ad0f16f76477aeb55716b61

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\x.vbs
                Filesize

                380B

                MD5

                ec9a2fb69a379d913a4e0a953cd3b97c

                SHA1

                a0303ed9f787c042071a1286bba43a5bbdd0679e

                SHA256

                cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

                SHA512

                fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\znvtc.zip
                Filesize

                177B

                MD5

                9d6ba31b7ba91e3755141f69be8d8cd5

                SHA1

                fa92b067f751087d986b5578c67aa60d1694c294

                SHA256

                6c42ca7add3b791acdbf5163bebc372f162ca075dddb4a9c7de3991dad3d8bab

                SHA512

                cbf4e6be73e75e81c2edb84bef471955813863c0da10ae012724f3ab74879f23d3f7072b6394f978fd5525efb80fe9211641cf0d4f2132b273000662a1c89337

                Download Submit

              • \Users\Admin\AppData\Local\Temp\x.exe
                Filesize

                3.3MB

                MD5

                1ae5a3bd872cd298300f1cabaa63609e

                SHA1

                fd9ea069427b9a7c2af3fe5e3ce56ca34aa99028

                SHA256

                0ac5ce26cf6ece81e5508bcdd693e9aa512cf778ff241374f602f2f438bac3c2

                SHA512

                3b14b09045a56b2f02f0c4b3e1cd261c916f8d764f74848871e99fd9de69929eca7a4d67ded16d5700d2bb398aed399e5ea67b420fa6f39709397bef6a7e3a19

                Download Submit

              • memory/1204-65775-0x0000000002B10000-0x0000000002C04000-memory.dmp

                Filesize

                976KB

                Download

              • memory/2480-10-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2480-11-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2480-12-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2480-4-0x000007FEF5F3E000-0x000007FEF5F3F000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2480-9-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2480-8-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2480-5-0x000000001B680000-0x000000001B962000-memory.dmp

                Filesize

                2.9MB

                Download

              • memory/2480-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2480-7-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/2600-65763-0x0000000000400000-0x0000000000443000-memory.dmp

                Filesize

                268KB

                Download

              • memory/2600-65761-0x0000000000400000-0x0000000000443000-memory.dmp

                Filesize

                268KB

                Download

              • memory/2600-65766-0x0000000000400000-0x0000000000443000-memory.dmp

                Filesize

                268KB

                Download

              • memory/2600-65765-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2600-65772-0x0000000000400000-0x0000000000443000-memory.dmp

                Filesize

                268KB

                Download

              • memory/2684-65773-0x0000000000080000-0x00000000000BF000-memory.dmp

                Filesize

                252KB

                Download

              • memory/2684-65774-0x0000000000080000-0x00000000000BF000-memory.dmp

                Filesize

                252KB

                Download

              • memory/2684-65780-0x0000000000080000-0x00000000000BF000-memory.dmp

                Filesize

                252KB

                Download

              • memory/2896-65760-0x0000000002000000-0x000000000209A000-memory.dmp

                Filesize

                616KB

                Download

              • memory/2896-65759-0x000000001B360000-0x000000001B36A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2896-65758-0x0000000000950000-0x000000000095A000-memory.dmp

                Filesize

                40KB

                Download