Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 13:49
Static task
static1
Behavioral task
behavioral1
Sample
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
Resource
win7-20240903-en
General
-
Target
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
-
Size
208B
-
MD5
f74352d968ebe606fcc81a9d827e5ccf
-
SHA1
1d6b0838ef4e437998b11ea7c15691e483d7b9d6
-
SHA256
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6
-
SHA512
b8cf2b1d9fd7b4c2557918d05b89cc179f60849c6959dcefd92a26619c4af53cd5deb13bca6b9028af1934628626a3f0d27c463f38d4f73f5e1aedc37c080178
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1692 powershell.exe 2364 powershell.exe 1692 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2364 powershell.exe 1692 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1692 2364 powershell.exe 31 PID 2364 wrote to memory of 1692 2364 powershell.exe 31 PID 2364 wrote to memory of 1692 2364 powershell.exe 31
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51888a37b30b050f00fea926ae9df4284
SHA1c6961e57c8d51276ecb3416b0ebd0f66c0d49461
SHA2560aa1c2d449fa8f0efd4deab5b8f6cb83940ecf3c2d48bbc843ca1f4d6bedf981
SHA512c374e4b78b6b2fff6d3ff1de1cf8273271b8dae4b896bf19699fd50514df3cf728e91968a09a56873a040a02d6f03173879d1b09338ff74e702a1dd90125ceeb