Analysis
-
max time kernel
64s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
22/07/2024, 04:06
General
-
Target
2ndKeyboard.ps1
-
Size
11KB
-
MD5
0105fac8d132386d14ff52f70729a6ae
-
SHA1
adcd60803589d2f535a15d076eca15247796526e
-
SHA256
7385890aabf8664af9980df334248017bd6c5efd917234b4b0036af28c8f355b
-
SHA512
bb10b611abc5fb2c882fd7f82c1e88f57fb37ca72108d05f245dd516605e11af325a6ba920f9af5a3fa8d62e1a3186df343b0ee0168c769e9086d38c9c758560
-
SSDEEP
192:S4EgVxFLfSlKRPTxlGveogSkwf2Dp4wiJShC:/1LQKRPTxlG2ogSk/14wiUhC
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2ndKeyboard.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\intercept\Interception\command line installer\install-interception.exe"C:\Users\Admin\AppData\Local\Temp\intercept\Interception\command line installer\install-interception.exe" /install2⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\ahk.exe"C:\Users\Admin\AppData\Local\Temp\ahk.exe" /S2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5515eaeb296569c7f34d57a289a22b352
SHA15cbde2d66ef1e82a4d9241b1f72a87e19d8563c4
SHA25619f2c1719dd944495e7a07ea32590657aa8a77d0429445df4b9a1e63c90237b6
SHA512e26bfa5f287fc9d6538aea0235b5367a361b95c460bce0abf43a373c2059199f2f10b218c04b1924fb8076bf5328403477b2c466fcbcd19882e3b0c8392b479c
-
Filesize
5KB
MD5db9f1ad28ddb95210f34e9465cb0c5d4
SHA1a5454555447c3ab87d4ab86827923b2be808d442
SHA256c684eddb313be0587aff0cec634a4bd777baac44a8bea639936cfca80c480cc6
SHA512db0862aeca914ac9f12c6997b47e0ae6a3e69bffea0f1065d544fe9b1505efacf873c6040df2a1e9e78c17706d8615aeebb3105c654582e761fa0e36ae06a91d
-
Filesize
47B
MD5a2a2551f270d0ec885f1f2d19f7ad592
SHA16b30dc114db6e3c54ad4409514a19a23ef75e957
SHA2569838a7bc6160f3b36a3a8316b977c460ea24ab6fc6b6e9423c12dd557e3aa91d
SHA512e150ab4e5a96dfdd93903a9a2c0975f0347f1a3816badcf3a5797acd6167e96a971cf1abcdb41a02c54a0f2c823c9b5abc4cc740ea2278dd1192a0a90fdd29e6
-
Filesize
180B
MD5ce75b848c0a4eb74c9b6ac65ff71409c
SHA1b613b4194c93e43376c22d2e84257e50d8eedc94
SHA2566717e54a3e5f70e07ba8492c39ff95bec53331e7615af53fa0fe77f4306f3f1d
SHA512f1c118258b42a8698caf6608e1d1c34293f7d86ee6a7b1f7de2abb434a71a249cadea69445606de221ce46ce4d551014f06becc80372369da1dff946414da3ae
-
Filesize
180B
MD594c04d9f52252fe4a495af94580e26ff
SHA1a46ae7c243dd4f3f0f925aa1e72d7cfa2c722e8f
SHA256cc6f751bb007255843a8d367221c36454adc761e5bb2951c1e52b59513ab8ff8
SHA512578a830bbaf6cb0b1a4eaefff0e49a78c94e57c099dc20d1ff865f0f17bdeeffbd4ff56c31209e61aa9b54d38095499219db0c6a21da2aaf632996d43d99f1bc
-
Filesize
6KB
MD528534cef712b3531eb6a34993b52e58e
SHA1abb28693bf5e869b4eaf90a4883e501efef1f896
SHA256eef20d7ee13248d5a686ebb6c42be4cf89c7922b8eccbbe22f60da4baba617c6
SHA51274c71ea4b575186e6433e735a84b19457802418adb6920d5ec9414d539ca6ed78da9cb28d7e113ac706a663e0ace3dca15a5c65001988185771c50d244199d8d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD571e486a03ab282b75886e3712ebb1efa
SHA133501837a85ea22f98723746aecf5199865353f9
SHA256a30af310f45d4076cf1580bb08015db9a1337ddc1a99cf61829e645b196e8b2e
SHA512855e76b756a5b3d2a465a900fe146eaa7113fe45a7b8c88e057b8d4f975b2b08b8b6b11ea1a697fc7df2fea3f6f0772e6c356e109240bb4e655efae7dc407f55
-
Filesize
459KB
MD50f0b50d92e030b8965ce669c8058fa6e
SHA1257b3f0402285a29f4618b32958c208b3e9d4c4d
SHA256e137863a79da797f08e7a137280ff2a123809044a888fd75ce9c973198915abe
SHA512fc7c384fd6f682ad01b598abf87c522b38068f4488cea6dc7bd6dedd66e995e4d8fb583c54c6afed0c4c7a9a2318bb6ed257bb3cbd0e48fae83a7819d1167d79
-
Filesize
6KB
MD5b595881777dd83622c987d5e63af2214
SHA1e98cb6ba389bd33bbffc2c8941ce06553997c1c3
SHA256ba67d667821177ed9a07eb8e4a67e043c94f41131129aad11b724ff0623f2bc9
SHA512f7f31a06204787be2cd7f12cd5221d7adaa9e54d8f6f834c2af524dbe873fcfcde778d945d3e863d16aac8c94f170dcc3e2665e0cec541b9b93284c124482311
-
Filesize
72KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
5.3MB
-
Filesize
5.3MB