36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

Analysis

max time kernel
26s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trigger.ps1
Size

1B
MD5

7215ee9c7d9dc229d2921a40e899ec5f
SHA1

b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256

36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512

f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2220 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2220 powershell.exe
1396 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2220 powershell.exe
Token: SeDebugPrivilege 1396 powershell.exe

pid	process
2220	powershell.exe

pid	process
2220	powershell.exe
1396	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1396 wrote to memory of 1604	1396	powershell.exe	wininit.exe
PID 1396 wrote to memory of 1604	1396	powershell.exe	wininit.exe
PID 1396 wrote to memory of 1604	1396	powershell.exe	wininit.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\system32\wininit.exe
"C:\Windows\system32\wininit.exe"
1⤵
PID:2848

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\wininit.exe
"C:\Windows\system32\wininit.exe"
2⤵
PID:1604

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a7b4b3425fc33616ef457d6ecc1ecc04

SHA1
64a782bc0945e262a7bc59054abb0f5b7b7892d7

SHA256
cff94d4109846937a81fde0cf5e6a66fe0ef7a6dcaa2d89023e38ecd0490ab9e

SHA512
271d2a5a4c296e06a1ffd1644acca947424468d3e873ecbc5763488b3d4a6d7f09723065c64130c5d4ddaf6f6e1c4272890726f91baa18b0d01f1e41bb699bb9

Download Submit
memory/1396-17-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/1396-18-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2220-4-0x000007FEF5EBE000-0x000007FEF5EBF000-memory.dmp

Filesize
4KB

Download
memory/2220-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2220-6-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2220-7-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-10-0x0000000002CBB000-0x0000000002D22000-memory.dmp

Filesize
412KB

Download
memory/2220-9-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-11-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-8-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download