8a36127d9fdced5a151bb5def00f508f8b132c88af5020a9bf654f468cf12cd8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

indexpowershell.ps1
Size

914B
MD5

fec80df570e3c472d9d3445376b29bbe
SHA1

74209f0508d62c7fbeec2313269d1eadc3fa0601
SHA256

8a36127d9fdced5a151bb5def00f508f8b132c88af5020a9bf654f468cf12cd8
SHA512

453d07746ee63c33dc10efbc45beeebd046f41df965988da2f88636623c3476792a7a1f65443e82690d6be984fdfc8af3d8c854191a32d8894f158a76cbb1806

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
1284	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe
1284	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeShutdownPrivilege	2676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2744	msiexec.exe
Token: SeTakeOwnershipPrivilege	2744	msiexec.exe
Token: SeSecurityPrivilege	2744	msiexec.exe
Token: SeCreateTokenPrivilege	2676	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2676	msiexec.exe
Token: SeLockMemoryPrivilege	2676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2676	msiexec.exe
Token: SeMachineAccountPrivilege	2676	msiexec.exe
Token: SeTcbPrivilege	2676	msiexec.exe
Token: SeSecurityPrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeLoadDriverPrivilege	2676	msiexec.exe
Token: SeSystemProfilePrivilege	2676	msiexec.exe
Token: SeSystemtimePrivilege	2676	msiexec.exe
Token: SeProfSingleProcessPrivilege	2676	msiexec.exe
Token: SeIncBasePriorityPrivilege	2676	msiexec.exe
Token: SeCreatePagefilePrivilege	2676	msiexec.exe
Token: SeCreatePermanentPrivilege	2676	msiexec.exe
Token: SeBackupPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeShutdownPrivilege	2676	msiexec.exe
Token: SeDebugPrivilege	2676	msiexec.exe
Token: SeAuditPrivilege	2676	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2676	msiexec.exe
Token: SeChangeNotifyPrivilege	2676	msiexec.exe
Token: SeRemoteShutdownPrivilege	2676	msiexec.exe
Token: SeUndockPrivilege	2676	msiexec.exe
Token: SeSyncAgentPrivilege	2676	msiexec.exe
Token: SeEnableDelegationPrivilege	2676	msiexec.exe
Token: SeManageVolumePrivilege	2676	msiexec.exe
Token: SeImpersonatePrivilege	2676	msiexec.exe
Token: SeCreateGlobalPrivilege	2676	msiexec.exe
Token: SeDebugPrivilege	1284	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2676	3004	powershell.exe	31
PID 3004 wrote to memory of 2676	3004	powershell.exe	31
PID 3004 wrote to memory of 2676	3004	powershell.exe	31
PID 3004 wrote to memory of 2676	3004	powershell.exe	31
PID 3004 wrote to memory of 2676	3004	powershell.exe	31
PID 3004 wrote to memory of 1284	3004	powershell.exe	33
PID 3004 wrote to memory of 1284	3004	powershell.exe	33
PID 3004 wrote to memory of 1284	3004	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\indexpowershell.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\system32\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\chromeremotedesktophost.msi" /quiet /norestart
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe --code=4/0AQlEd8zWLesSUP6f4H85oQO8fA5FVqxLtXt6w7i5YC8q1hKRKimqLnsN8AnYiSNN_DXy8A --redirect-url=https://remotedesktop.google.com/_/oauthredirect --name=EXCFTDUU"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AL7PPOC9QHU2JQ97GFZ.temp

Filesize
7KB

MD5
8c7a07e99befdbfd49869b032fe1fe5e

SHA1
f6cd1f887932932437de17b731ae90ebd54515e1

SHA256
fa0d453c4c6f828f2d39635197831c65f1e4ff8abc5427080b0f42f056795a7b

SHA512
bbd8af139e1d32f8740ec2b1d07e4f169f449ff19c7b9a1323429fd4732d23dc0b3a2e860cf9c2e93d426cb368aec3c03cc32771cd44e7c0c1066694dc7af225

Download Submit
memory/3004-4-0x000007FEF64AE000-0x000007FEF64AF000-memory.dmp

Filesize
4KB

Download
memory/3004-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/3004-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/3004-7-0x000007FEF61F0000-0x000007FEF6B8D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-8-0x000007FEF61F0000-0x000007FEF6B8D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-9-0x000007FEF61F0000-0x000007FEF6B8D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-10-0x000007FEF61F0000-0x000007FEF6B8D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-11-0x000007FEF64AE000-0x000007FEF64AF000-memory.dmp

Filesize
4KB

Download
memory/3004-12-0x000007FEF61F0000-0x000007FEF6B8D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-16-0x000007FEF61F0000-0x000007FEF6B8D000-memory.dmp

Filesize
9.6MB

Download