9fca82ac9d1a70b7e09177b8dbc98e6f26c5cf0eb65ae78717d7fd4f7bc554b6

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bCelery.github.io-1.0.5-c/a.ps1
Size

492B
MD5

667d2373562f3e6411197a6280dbf8c1
SHA1

1f101bca3721e26f59ba45182d304bd55b6c53c4
SHA256

dc42a6abf71ff256b28fe1d294cbbeba45848a9ac5f201a97c9e77691143745f
SHA512

8f157e28c5f5d2ac9a09672b338aa336ed5142ccfb6adbb5b48f232ec40694d95df252687da20da7f4b24ad629fd85606547beefd5e09bac12b49183eade8bda

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
2680	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2704	2760	powershell.exe	31
PID 2760 wrote to memory of 2704	2760	powershell.exe	31
PID 2760 wrote to memory of 2704	2760	powershell.exe	31
PID 2704 wrote to memory of 2788	2704	cmd.exe	33
PID 2704 wrote to memory of 2788	2704	cmd.exe	33
PID 2704 wrote to memory of 2788	2704	cmd.exe	33
PID 2788 wrote to memory of 2728	2788	net.exe	34
PID 2788 wrote to memory of 2728	2788	net.exe	34
PID 2788 wrote to memory of 2728	2788	net.exe	34
PID 2704 wrote to memory of 2680	2704	cmd.exe	35
PID 2704 wrote to memory of 2680	2704	cmd.exe	35
PID 2704 wrote to memory of 2680	2704	cmd.exe	35

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bCelery.github.io-1.0.5-c\a.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\Documents\betterCeleryRun.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "irm bcelery.github.io/src/gui.ps1 | iex"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b18564c74fbe69ab8667556d3dfedf4e

SHA1
4c4df2320c270ea1d3e316de0893262da69c9c01

SHA256
63c133cd333fc22306cde5f6bb745ba1603cf23ffc2f0f24fb1b609a876b993d

SHA512
dc00a434991312cd391dfdb3239316607812e4c83d5fcacc616364e19029fcd13ef0eb9cc9eaf71cbfa5f0e14af89f6b4e2c895917a32b3a5011dc07c94f3f20

Download Submit
C:\Users\Admin\Documents\betterCeleryRun.cmd

Filesize
272B

MD5
f0dc748048d93bfcffeade9e70839e47

SHA1
f499891181bb8f8ce9f11f4ea531e4406b791d53

SHA256
30f45fd0cf8ad465a14fef1f26049a77dd7dafc6073478c921318a0b345ae84c

SHA512
c3bc0c87227b7429e76ed6c308918c2de339064bd87d790a717971b25e1165c01767e57c7f24edb17f76196b13315a98056a59c631b93000c30ad4d73901fb1c

Download Submit
memory/2680-29-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2680-28-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2760-11-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-4-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download
memory/2760-10-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-7-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2760-21-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-8-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-9-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-6-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download