Overview

overview

10

Static

static

10

aio.ps1

windows7-x64

3

aio.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    94s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aio.ps1

  • Size

    239B

  • MD5

    b9ee37128bbd5cdd0530e9783b2bc963

  • SHA1

    37eaa842b78b58b8a922c764b7c485d5ef1689b8

  • SHA256

    7b75d18eca104c8be603e1c81a9e289731ca7a25a1c65f6514c3d61ff8079be9

  • SHA512

    46bc00ec333bc9b485b18af07cf3f08cbce0a4087e7a9cf3ee7539d365f5345b17114fa0a3e0e1a1143a8e9b6391fe1a509025f043e1cd84b39fd31dac99e814

Score
3/10
defense_evasionexecutionprivilege_escalation

Malware Config

Signatures

  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\aio.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Aioappinstaller\Aio.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell start -verb runas '"C:\Users\Admin\AppData\Local\Temp\Aioappinstaller\Aio.bat"' am_admin
        3⤵
        • Access Token Manipulation: Create Process with Token
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Aioappinstaller\Aio.bat" am_admin
          4⤵
            PID:1020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      61e2e57471d559f5f6813c0a7995c075

      SHA1

      33c621541bc0892ddab1b65345a348c14af566e5

      SHA256

      c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d

      SHA512

      9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      bf968f8a964303d1d5c53d3138572339

      SHA1

      d58aa0e2f0f9e163a0ece3297682f4057a59e09f

      SHA256

      c06e2988c6024956ea6875a03a651e7c183ddb9928f26d1604cff2beb610e1fd

      SHA512

      22d94ad25b37fd1446554bf31210d9a1c03f87b3b26e9dcaddca3c9e2ad2b9c1fb9fc380c7e3411d7492c5b019ae7409fbca83375943798b8abd9fcccea9fd22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lap2unkq.mf1.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2484-34-0x00007FFEFADF0000-0x00007FFEFB8B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2484-32-0x00007FFEFADF0000-0x00007FFEFB8B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2484-30-0x00007FFEFADF0000-0x00007FFEFB8B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2484-29-0x00007FFEFADF0000-0x00007FFEFB8B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-11-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-18-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-15-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-14-0x0000026DF6150000-0x0000026DF6164000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4324-13-0x0000026DF5DC0000-0x0000026DF5DE6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4324-12-0x00007FFEFB170000-0x00007FFEFBC31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4324-0-0x00007FFEFB173000-0x00007FFEFB175000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4324-1-0x0000026DF5C30000-0x0000026DF5C52000-memory.dmp

      Filesize

      136KB

      Download