111a76dec326a5d2d9a530f7de452f7aafcbdf08c9feb1f8d894f528ed60d8a1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 16:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

testie.ps1
Size

263B
MD5

4b406fd3f8cf6c84070745ba7c810f5e
SHA1

46498bc753ad7398e449f36dfa57dc1aaa44d1e1
SHA256

111a76dec326a5d2d9a530f7de452f7aafcbdf08c9feb1f8d894f528ed60d8a1
SHA512

b77ab8bceb7d9ced7574552555a4ef2066d46fb408c81d0abbf91339ca5be61d11abe6d36d72ab1305ae76a6967321695f1fe98122b0053cdb84654d5e16cc48

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2708	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2648	2708	powershell.exe	31
PID 2708 wrote to memory of 2648	2708	powershell.exe	31
PID 2708 wrote to memory of 2648	2708	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\testie.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe" Admin
  2⤵
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2708-4-0x000007FEF618E000-0x000007FEF618F000-memory.dmp

Filesize
4KB

Download
memory/2708-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2708-6-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2708-8-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-7-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-9-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-10-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2708-11-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download