Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 03:16
Static task
static1
Behavioral task
behavioral1
Sample
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
Resource
win7-20240903-en
General
-
Target
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps1
-
Size
208B
-
MD5
f74352d968ebe606fcc81a9d827e5ccf
-
SHA1
1d6b0838ef4e437998b11ea7c15691e483d7b9d6
-
SHA256
c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6
-
SHA512
b8cf2b1d9fd7b4c2557918d05b89cc179f60849c6959dcefd92a26619c4af53cd5deb13bca6b9028af1934628626a3f0d27c463f38d4f73f5e1aedc37c080178
Malware Config
Signatures
-
pid Process 2736 powershell.exe 2892 powershell.exe 2892 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2736 powershell.exe 2892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2892 2736 powershell.exe 29 PID 2736 wrote to memory of 2892 2736 powershell.exe 29 PID 2736 wrote to memory of 2892 2736 powershell.exe 29
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c185695a5c260e4c77fe5a0999ce23f9a3ea45f89b15003a18e8c3052e75beb6.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c6f4fd3e1435c415c2c6e7b5e51df28a
SHA1eb19e904837057a7a96d8bb0bd9f0b8f17b49057
SHA256b78173b258f2dbaaade05efeffc4a3f8d214d6115e4aa490aa97e5e9ba41fc60
SHA5120acfbbb27fbbd01ff13b88218909d94983b5a927ed7a4e6c88c4fddb9147fc5554c897b795e18b4dec17928b092b2509d867baf8736784808b966986e4cbe64b