Overview

overview

8

Static

static

1

script.ps1

windows7-x64

8

script.ps1

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

  • Target

    script.ps1

  • Size

    393B

  • Sample

    240809-wtvwzstdrm

  • MD5

    0653bc76a82c896de0fa964bed515f8d

  • SHA1

    ecc41ef3092afe2940ae7e29a5923318b670c108

  • SHA256

    4634350daa643c8ed2f02784e0b2840767348ee9326ae0cadc41e4c4a0999f32

  • SHA512

    58c8b49c5a447c36ded4faed0bb4b93c320871aa5f735c5ad26e35a0486c8be6a9d4dcc7c0c63bf7a9df5f09ffa9ecfdfe5f6f384484273b89d8221eb32ea31c

Score
8/10
discoveryexecutionpersistence

Malware Config

Targets

    • Target

      script.ps1

    • Size

      393B

    • MD5

      0653bc76a82c896de0fa964bed515f8d

    • SHA1

      ecc41ef3092afe2940ae7e29a5923318b670c108

    • SHA256

      4634350daa643c8ed2f02784e0b2840767348ee9326ae0cadc41e4c4a0999f32

    • SHA512

      58c8b49c5a447c36ded4faed0bb4b93c320871aa5f735c5ad26e35a0486c8be6a9d4dcc7c0c63bf7a9df5f09ffa9ecfdfe5f6f384484273b89d8221eb32ea31c

    Score
    8/10
    discoveryexecutionpersistence

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks