Analysis
-
max time kernel
136s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
03-08-2024 18:08
General
-
Target
2.ps1
-
Size
1002KB
-
MD5
53c4c7466cebb3357a4bf5fdde6e03bd
-
SHA1
3ae57e66c6651b2c35b873db5de86b87ccc969ad
-
SHA256
ec7d6975587d8dd4effb5727882b1fbb867766d4df73ec304c88d27362ce6ace
-
SHA512
aa7a49bde2e30748853b66c772d5bc72372699d52a0d4806d373e870eaa0488ba6ff7b92669e15c9b0180f4cfebd45e698a75b514512b6eddb338dfaf2d2a75e
-
SSDEEP
24576:TawjBUo3v/AOhx415r2X0Kin4clpSeuoZ+tF0USjpMmaXBxwP0oOGAlLRqkbx2yY:e
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Drops file in System32 directory 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {F3CFED76-012B-4C3D-991F-B7B29F30542B} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\wingro8.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\wingro8.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\wingro8.ps1'"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD550d4a99b69cfffe7d2d266a1409a74f3
SHA1502c672e96d215fc401dc756df1b8f277ba84eee
SHA256ab4b5d0ae90c3dfcf0817ced53e1401a14c89f36f3d8134e67924abdfa99f028
SHA51295a9d5cf086c24d3802b845139eee0965f74ef0ca77421e15b0bb4e8e84ca622ba28d18e056a86624891819984bd02936b34dd73b8107ed336f7729648b5feb1
-
Filesize
7KB
MD545da11067f7107dde921b21a1748fe51
SHA1f31041c1cd08b3b70007d93623620c67074dd0f8
SHA256f3df444e078eb6180c2f698fa69fc6551adfd590f3a979be9d7b250fc5853147
SHA51254892535ee95e40c93de87db8f23a5a4b1b76240e7bc1b97e3a5b2b241f2af708119eef62a727b9a8cae55b82f16e9fc00713127e72578db8e0da9bb75612caf
-
Filesize
204B
MD59ae3fd9aa024c8c635043f25e14e4582
SHA1346bdf6d3fb90733b29e4b0679eed419d2337d8a
SHA25608eb7706a9e1efa8a68e0174bc5d62fd48282ffafc561819c3bc87784a80e73f
SHA512b4a87e683517cdfc1df43a08b238844bac0319be234ccfddb1ba0c55bc321d5f3b592a7ecd795370d735c629ff2122d9a6405c181a16128606ba4b26c1f67af2
-
Filesize
1000KB
MD5a7c519fa08aa6c0e88292f403244958d
SHA166aa43c3d645041957e7da8ad263c6c8ac21875f
SHA2566b69b5238db51c77517e5ad018160b9d1be9b9d6af217033b4cf0648e4dfe1fd
SHA512f621dc60aed94d8571a75b9f3ef83831de09fa1baebd21e12d476c67315745b6974bd76c163c623ee765f7e181da4291aa298574397782020e0b4585911fb1bd
-
Filesize
689B
MD5aeee1749af12130d3f8c69f286d82904
SHA11199175f300c2249c1e6fedb28efa44acffa88b1
SHA25640dd27ce5d1b906557495317c0c0164cce12baab5dae79028b1539a65a9caf2b
SHA512f8e944b7de50ef6200606f334b82216ea177bea391b3464bacda0db44395a346994cdb26f1bba4c83e6044f88b76cad87d89179ced0ea09114d15aeab49fffec
-
Filesize
208KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB