Analysis
-
max time kernel
450s -
max time network
450s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
15/07/2024, 13:31
General
-
Target
code.ps1
-
Size
5.4MB
-
MD5
a47bf2391614bf4e994bcb9e0bceeb10
-
SHA1
5610b866d5edfda50f25de183c5a35d3c36d92b5
-
SHA256
7526dc4fa9ae0abff965b74756151f956cf0d43616bc4d2b9e4629b41be5fb0d
-
SHA512
244a952393749820ac5f65225d469c12e0c0dd1f734b7f9d6852318b55b1e74f6a0edb6abd1ef99364fac2a1cbbd2eb276212500545448216f796f21d764a908
-
SSDEEP
12288:JRaqCoQNkn0cIGblCCIKf7sNPChAocUSqcqz8zfO8/rBpAC+F6GKb/5Vo1IGJKF:JRd0q0cIGbl5IKOPChy/qz8FYdWOI4KF
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\code.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\findstr.exefindstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\code.bat"3⤵
-
-
C:\Windows\system32\cscript.execscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\x.exeC:\Users\Admin\AppData\Local\Temp\x.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"4⤵
-
-
-
-
C:\Windows\SysWOW64\findstr.exe"C:\Windows\SysWOW64\findstr.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.5MB
MD57eb97db6a8eaadec9df12470b18ecbc1
SHA1cc8c8ebe12f4bb0f031d71812dd512f167aa7eca
SHA2563e643767546937b58a16ff6b2e47d4913239e54d32274d5d09e4096ed1c6d805
SHA512e3623685157e1afa5b83391d2e23abeb67fa0505482961726496356d5fe6db14874f868931f19153a0120150bd798bf14e7adadc264de8292d391edecd3c1536
-
Filesize
4KB
MD574a785f855123a6080c65527caa6fafa
SHA1abde85b4564fde134ff5cc567603fca671d7aed6
SHA256fe84a305325733970297aa7c74cca2c759fb381c634ea7abe8eece67ff2b5c7e
SHA512e151ab239c0eb04bf959081645175f049ce7d613c9bfef8e467abad4d65703db50e2b055cb2d0671cf988a1361c201ae58c0d6383ad0f16f76477aeb55716b61
-
Filesize
3.3MB
MD51ae5a3bd872cd298300f1cabaa63609e
SHA1fd9ea069427b9a7c2af3fe5e3ce56ca34aa99028
SHA2560ac5ce26cf6ece81e5508bcdd693e9aa512cf778ff241374f602f2f438bac3c2
SHA5123b14b09045a56b2f02f0c4b3e1cd261c916f8d764f74848871e99fd9de69929eca7a4d67ded16d5700d2bb398aed399e5ea67b420fa6f39709397bef6a7e3a19
-
Filesize
380B
MD5ec9a2fb69a379d913a4e0a953cd3b97c
SHA1a0303ed9f787c042071a1286bba43a5bbdd0679e
SHA256cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b
SHA512fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6
-
Filesize
268KB
-
Filesize
268KB
-
Filesize
1.0MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
616KB
-
Filesize
40KB
-
Filesize
744KB