Overview

overview

3

Static

static

1

file.ps1

windows7-x64

3

file.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.ps1

  • Size

    913B

  • MD5

    93ba68e441acfd1891c26c36f876318c

  • SHA1

    a448bddfe614476519bdb1d3529a1739670221d5

  • SHA256

    e40b1c97536de542e4e23d0ae4508be0a8738542985d41b1aaaa34d38a870ce2

  • SHA512

    c958f7b9917f15df3ff2dda87a53a5007dfe71565843a79c913151daad1b26064602c8d19d8e509b2a08eb1c50e740d79002fe0dc1e5f12c2bdd3682aabbe252

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4b0squh1\4b0squh1.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D6D.tmp" "c:\Users\Admin\AppData\Local\Temp\4b0squh1\CSCE6AFE98446314709B7C79ACA19FE1264.TMP"
        3⤵
          PID:1500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4b0squh1\4b0squh1.dll
      Filesize

      3KB

      MD5

      57a874cec6a5099f21ec01ddc3b9db42

      SHA1

      b0fc81f399adbc84b39e275504be183f40910df3

      SHA256

      a47b01cf757cb7b211c23e0a3851a52c1e53dd7e8f1bb2f6bcb36c4860152249

      SHA512

      4728b5f14e33e8ac1655c9d2b0470c758e65ac91aaa269f0f8964fcda7b92494d9fde736589552259cd80c51bed327719779fb2460cea5cb348c04d3d6b4988c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES7D6D.tmp
      Filesize

      1KB

      MD5

      5f3e2541dbc350c0031b91a2d661b2b7

      SHA1

      bcbaa58177a07cf2118755b5e15f1b6eedbe36dd

      SHA256

      6e8442fce15626ef491979468288f0aa54c755d76380a70fcd661d8c1b17ff84

      SHA512

      c7dd5932d10bb4ba2727f1c1dfccec06e14392fad9a415a2d5a834b735ac8cc3693e4d5184b3ebb7efd07dfa05db7e5e9b2115cb9cd71c88fb4609dfb2d79da6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14xh0mcq.5yp.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\4b0squh1\4b0squh1.0.cs
      Filesize

      169B

      MD5

      2f010725190c2a4aed6464a6b07caa28

      SHA1

      8cdb73dbbfbf61bd612ec83d190a47340591ffe0

      SHA256

      b366f7a0857ef5ea51c30d49e93c0a75fc0138d57adc1663ac9ef06f0220af26

      SHA512

      4015fa2e09b48c107de80a91ff1812761994b5505d9c5f17efb4c12f5799f15b350a513d5427ba1dbe9de6105721a301b8c87d52f3d9eafad90dd0d1768fdedd

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\4b0squh1\4b0squh1.cmdline
      Filesize

      369B

      MD5

      6f98381f5090a7e8936234dcd5485b16

      SHA1

      a58710dfbd2be82a28ba5f42a032c468169bcc0e

      SHA256

      1bf3efff5c5011bd5e0880a744a393b9bbd8db1039589c3da1af86374cc50d3d

      SHA512

      cd57adc3bd15e96a7b9da7332bacb9427fe4c1ef668dd90021b77051e5868ef469a937231996a8527086400ebaee893556debff06498afa3280222677fd0da3a

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\4b0squh1\CSCE6AFE98446314709B7C79ACA19FE1264.TMP
      Filesize

      652B

      MD5

      f7d4f6c2d07e91fc96c63906d23e8ebf

      SHA1

      f4706581baa8b52e82c41b078abac529a0a13983

      SHA256

      19fd66b959422450567949e8b89f88a260f89ab3902a49950ca3d2a4c7872ec9

      SHA512

      c975737ae7b918a5b325afd7ddd62338a7cba33556e2274ff3fdd541b41ac1e1a63b6c58a003a64403d74ddd295445fba08aaa748aababe18c67ae6c1713fcbd

      Download Submit

    • memory/400-12-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/400-0-0x00007FFA09743000-0x00007FFA09745000-memory.dmp

      Filesize

      8KB

      Download

    • memory/400-11-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/400-1-0x0000022557530000-0x0000022557552000-memory.dmp

      Filesize

      136KB

      Download

    • memory/400-25-0x00000225579C0000-0x00000225579C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/400-27-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/400-30-0x00007FFA09740000-0x00007FFA0A201000-memory.dmp

      Filesize

      10.8MB

      Download