1ad71e3cee2df332e018c946e6c3963193c46592564210339bae445911081905

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.ps1
Size

3KB
MD5

6b2fbc88a1887a155e43416ac9d9412d
SHA1

0c003d757befa7df1c0a4521226aa024bd9f02fe
SHA256

1ad71e3cee2df332e018c946e6c3963193c46592564210339bae445911081905
SHA512

0a51e1e5e4003c2596f694b08ed74eb0aa915b75d709f03b7f91b5d9824a029d619e6d15c744d255524a0071f82a5766f121e9d6e47abc4e2f8fa65969871d4f

Score

8^/10

execution

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2292	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2404	notepad.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2404	notepad.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2404	2292	powershell.exe	29
PID 2292 wrote to memory of 2404	2292	powershell.exe	29
PID 2292 wrote to memory of 2404	2292	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
1⤵
- Drops file in Drivers directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe" C:\note.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:2404

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\note.txt

Filesize
10B

MD5
53ba7faa722ca097a996ff26b810eed8

SHA1
9364cf73dc5a8e823d70271b89c94cba8fc58a1e

SHA256
bb3101298d24dadbe4e929170a714df0c58cc89c9bc40170de6932dcbd263c8b

SHA512
addb39423ed3b4d4daf2a9ff5f4f8d98e8475c0d91ba557c1e0799d012b8ac4772a92d86d980e35c466278bf9e8ffd9dc82be358217795ea489c650d9ea74448

Download Submit
memory/2292-4-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

Filesize
4KB

Download
memory/2292-7-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2292-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2292-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2292-11-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2292-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2292-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2292-5-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2292-15-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

Filesize
4KB

Download
memory/2292-16-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2292-18-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download