Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a.ps1
Resource
win10v2004-20241007-en
General
-
Target
b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a.ps1
-
Size
18KB
-
MD5
4176233617a9d682e17e8cf97d8925b1
-
SHA1
7249fb9226c81142bd0266f0268579a1b4d370b1
-
SHA256
b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
-
SHA512
febf9ea8c0e39a92ed4bcad1d1b8a982eb2fa2e992b98d4f6bbd0973e6587137ab16ec7b12f45b34cf634beaffb8d28de2d6df3dfcc9a421ccca7fef99171fca
-
SSDEEP
384:GGQ+Q3QoQZQSQrQsQ9QmAokfdyG6X4SNjEK++oG/ooGLdQVToFhbcB3OY8Pn1EYm:GzbAZm3slij84SNjEK++oG/ooGLdQVTv
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid Process 2 2400 powershell.exe 3 2400 powershell.exe 4 2400 powershell.exe 5 2400 powershell.exe 6 2400 powershell.exe 7 2400 powershell.exe 8 2400 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a.ps1\"" powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 2400 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 2400 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a.ps11⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400