Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 13:44
Static task
static1
Behavioral task
behavioral1
Sample
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
Resource
win7-20240903-en
General
-
Target
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
-
Size
208B
-
MD5
f74352d968ebe606fcc81a9d827e5ccf
-
SHA1
1d6b0838ef4e437998b11ea7c15691e483d7b9d6
-
SHA256
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6
-
SHA512
b8cf2b1d9fd7b4c2557918d05b89cc179f60849c6959dcefd92a26619c4af53cd5deb13bca6b9028af1934628626a3f0d27c463f38d4f73f5e1aedc37c080178
Malware Config
Signatures
-
pid Process 2104 powershell.exe 2144 powershell.exe 2144 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2104 powershell.exe 2144 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2144 2104 powershell.exe 31 PID 2104 wrote to memory of 2144 2104 powershell.exe 31 PID 2104 wrote to memory of 2144 2104 powershell.exe 31
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5041fb3329e3396182328f29b490aef4a
SHA142bc833e4dc09038299ac0034ba59fa522e67474
SHA256aee96eed35f1651d1b2be1982bd0d811ed599f3b2cfbb45b9ede74d44a13fc86
SHA5126c587b5c71ebfa0ff69da3508587d869279154ce8585d34dee4094950b9b23f7f39fe3219e637e9fb80b0359a6286632d800ac3d57b2f41f6c23f921c9c60a8f