Overview

overview

10

Static

static

1

test.ps1

windows7-x64

8

test.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • submitted
    08/10/2024, 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.ps1

  • Size

    702B

  • MD5

    b629e4a76638f91a67059188d07e27f6

  • SHA1

    42b37211578e971c684b493c8b604874518652e3

  • SHA256

    b4dabf844bceeb5b1fa448549735296b4bdf289f346f960228d52a7a09e35ea1

  • SHA512

    e11cd5638890756787640c60cd6beaa8a61a6998d1077010da6f0b5f32bd67e176b09d984948cabd68ae2fa6fd9408a44360f0911d93fa205b7821af43b5784c

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\test.ps1
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Public\ajbs50ul.bat
      "C:\Users\Public\ajbs50ul.bat"
      2⤵
      • Executes dropped EXE
      PID:2672
    • C:\Users\Admin\AppData\Local\Temp\utox_x86_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\utox_x86_x64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2764 -s 200
        3⤵
        • Loads dropped DLL
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\utox_x86_x64.exe
    Filesize

    4.7MB

    MD5

    e9679980aa73cfc7cf00f3da7949c661

    SHA1

    53ba9e3a3a10ae0e72df4b3632d8d4135eb540b6

    SHA256

    d7bd224b2ef0014c679046c917becfface5f5aba2fbdb7dd3c17fe964c3cee97

    SHA512

    002aac023e1bbe3bbbf153ebc5462970aa98c84badea6bc1b8d333c98a5ed91540928b8848a9928607e12c0a1296a12424b2c2b0753e23afeb537249f04db8bc

    Download Submit

  • \Users\Public\ajbs50ul.bat
    Filesize

    2.2MB

    MD5

    8837df25aabc4fad85e851aca192f714

    SHA1

    c4fbd38356b7ee16eaf21deb83170bbcb0fe566a

    SHA256

    741cee2c6f6f8ee8a54923fa2a0c88085cede35bdc2e95b1b9f1800e894e6c19

    SHA512

    93f712ae3ca726b090df270feb1421ea98778260b7fe309e06ac3887b396d3dc8ab41655ec7d15a57cac8b467cca0395a52ef965765a26c9597f6512fdad88e2

    Download Submit

  • memory/2300-7-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2300-4-0x000007FEF66BE000-0x000007FEF66BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-6-0x0000000001F90000-0x0000000001F98000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2300-9-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2300-10-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2300-11-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2300-8-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2300-5-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2300-33-0x000007FEF6400000-0x000007FEF6D9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2672-35-0x000000013FC00000-0x000000013FDE2000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2764-34-0x0000000000400000-0x000000000097B000-memory.dmp

    Filesize

    5.5MB

    Download