Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 02:34
Static task
static1
Behavioral task
behavioral1
Sample
7dd51a31f3cdd9713c2fd7fba05b61e83a2c5f3e9179c72bf419ae1a4a24f933.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7dd51a31f3cdd9713c2fd7fba05b61e83a2c5f3e9179c72bf419ae1a4a24f933.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Bilist/Blyants.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Bilist/Blyants.ps1
Resource
win10v2004-20241007-en
General
-
Target
Bilist/Blyants.ps1
-
Size
51KB
-
MD5
f33c58ea75c086600c12aabd70fe5ed3
-
SHA1
4901a7a2708a0cdc628899801896cdd54e5d83e2
-
SHA256
74ccc7d9f777f47ae3fc9bac599d05d6bb7af85228aea4834e36329297b5765b
-
SHA512
52f45268ff703c6178a78662a38f765cdc4dcd57f962e574b42b6852522835fb22b534c0f1764b78807f0ec806ceef0b4c57964ffd9f566f0c16bffaa1830eb0
-
SSDEEP
768:BFT6VjXLo/zpwczhgCOaUReDBW6aQwsihuZkZC6T3dpAAq8M:nGLobu6hXJUC95wsUS96TzAAqZ
Malware Config
Signatures
-
pid Process 1580 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1580 powershell.exe 1580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1580 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2752 1580 powershell.exe 31 PID 1580 wrote to memory of 2752 1580 powershell.exe 31 PID 1580 wrote to memory of 2752 1580 powershell.exe 31
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Bilist\Blyants.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1580" "912"2⤵PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c24bc669996230dad7249fefc6a559e8
SHA15850586be5a592aaa9ec22d1d031bcdc1b547cd9
SHA2560182fb87ca3d9b1d948bb9ed06b89f779570d4e5fed08cd3e0a90f9a7e0030b0
SHA5122bc87e280b7f8f3a222ef201ace4dec5be3cf712b5b4e0959ddabc3ec06090cf00a4c2dee2911b58f56dc3019e4fbc7f28e4bb20ae72e394a1294c65aa8a6485