fca25adc23b7255059d672609cd4bc4e6ad18a4bec1ef7500409218ea9af16bd

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.ps1
Size

195B
MD5

10c96c74a759c05ce13b93cb66682028
SHA1

9d55576077b4a6e78dd8c3454e4e0cf3c318adc2
SHA256

fca25adc23b7255059d672609cd4bc4e6ad18a4bec1ef7500409218ea9af16bd
SHA512

3308fa52372e48d6ffdc56abb6775ab6e426ddf540677085cf02f7344a28a1c2f7163050ec40f2757ada2768e031ab7f507fbe50dcffb02c8d1bb056422ae5c4

Score

3^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2436	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2436	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2856	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2436	2856	powershell.exe	31
PID 2856 wrote to memory of 2436	2856	powershell.exe	31
PID 2856 wrote to memory of 2436	2856	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" 8.8.8.8
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2856-4-0x000007FEF5D8E000-0x000007FEF5D8F000-memory.dmp

Filesize
4KB

Download
memory/2856-5-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2856-6-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-7-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2856-8-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-9-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-10-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-11-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-12-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download