Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 09:39
Static task
static1
Behavioral task
behavioral1
Sample
WindowsUPD.ps1
Resource
win7-20241010-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
WindowsUPD.ps1
Resource
win10v2004-20241007-en
5 signatures
150 seconds
General
-
Target
WindowsUPD.ps1
-
Size
15KB
-
MD5
0fd79133bd46b420056204b475719cd5
-
SHA1
79e581dee9b2a19943fe79136d58859e4ac5dffa
-
SHA256
8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
-
SHA512
bfe8b5fba989e9ebcd84c15b0a35ae8e6e1cf882dac4c334e16e58278950bb27ea5fb7b50b84d88bff0382cc94364db9e11e816cc143e12044dfacb0494d3401
-
SSDEEP
384:cnjSh4f+dEYIQXHrxQE4EEoM/WoML1QZTWBh0ndH0mu0n+Eu/XoRxoqOTXYSJ8JR:cnjSh4f+dEYBHrxQE4EEoM/WoML1QZTP
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 2 844 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUPD.ps1\"" powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 844 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WindowsUPD.ps11⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844