Analysis Overview
SHA256
8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
Threat Level: Likely malicious
The file WindowsUPD.ps1 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 09:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 09:39
Reported
2024-11-13 09:41
Platform
win7-20241010-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUPD.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WindowsUPD.ps1
Network
| Country | Destination | Domain | Proto |
| US | 94.158.244.69:443 | tcp |
Files
memory/844-4-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp
memory/844-5-0x000000001B370000-0x000000001B652000-memory.dmp
memory/844-7-0x0000000001F30000-0x0000000001F38000-memory.dmp
memory/844-6-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/844-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/844-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/844-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
memory/844-11-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp
memory/844-12-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 09:39
Reported
2024-11-13 09:41
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
134s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsUPD.ps1\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WindowsUPD.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 94.158.244.69:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
memory/4344-0-0x00007FFA484F3000-0x00007FFA484F5000-memory.dmp
memory/4344-1-0x000001D2E4200000-0x000001D2E4222000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maafpx4e.hlx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4344-11-0x00007FFA484F0000-0x00007FFA48FB1000-memory.dmp
memory/4344-12-0x00007FFA484F0000-0x00007FFA48FB1000-memory.dmp
memory/4344-13-0x00007FFA484F0000-0x00007FFA48FB1000-memory.dmp
memory/4344-14-0x00007FFA484F3000-0x00007FFA484F5000-memory.dmp
memory/4344-15-0x00007FFA484F0000-0x00007FFA48FB1000-memory.dmp