caa2b71e65aecfaebef638d92ff3f59a6669eb0032dcd760167772e6230150a6

Resubmissions

21-11-2024 05:27

241121-f5k8xsydrc 10

21-11-2024 05:25

241121-f4n87azdml 10

21-11-2024 05:20

241121-f1m7qatmbq 10

21-11-2024 05:18

241121-fy9ypstmar 10

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

643B
MD5

ce59d2b172748a12fd462a9aa9e0bbcc
SHA1

8fd4a148b78988e34b8f90cd8c04cde91d49577d
SHA256

caa2b71e65aecfaebef638d92ff3f59a6669eb0032dcd760167772e6230150a6
SHA512

2aa4ca0b5110a627f880736ab0c563e91302e0ebc98359d6271abc0133636c4f3db2c2ee2ecdd6c8e6e21ce0fdeac3a1ff934970b7eecc6c6fd62f2814d16543

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	3044	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3044	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3044	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3044-4-0x000007FEF468E000-0x000007FEF468F000-memory.dmp

Filesize
4KB

Download
memory/3044-5-0x000000001B880000-0x000000001BB62000-memory.dmp

Filesize
2.9MB

Download
memory/3044-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/3044-8-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-7-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-9-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

Filesize
9.6MB

Download
memory/3044-11-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

Filesize
9.6MB

Download