Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 09:20
Static task
static1
Behavioral task
behavioral1
Sample
xxx.ps1
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
xxx.ps1
-
Size
2.0MB
-
MD5
4e71954ab5a47de9f74938dc0cd3c84f
-
SHA1
781b4cffead59d083d301c7eec7d55250b5a4317
-
SHA256
3b8fc9046c06420b3382cf851595370e4bb75ad0330c44515ad6bedb286dbfc7
-
SHA512
3a44a383686308352a5499d21a30317c61ea8caa81145001af22f5de536a2f3e73da43fafca53696be3923e86bb8780e5b503c3e5f379c1407362fca3909cd80
-
SSDEEP
24576:bSgmuyXfET5YN3b2LLG1z/7E4/KpdMJczdsrbIm:biMSNKLq1zjAU
Score
3/10
Malware Config
Signatures
-
pid Process 3020 powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3020 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2372 3020 powershell.exe 31 PID 3020 wrote to memory of 2372 3020 powershell.exe 31 PID 3020 wrote to memory of 2372 3020 powershell.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xxx.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr AutoHotkey64.exe /sc minute /mo 2 /st 09:22 /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2372
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BB4427C5-CD41-4B5E-98DA-A4E22E6AFA71} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]1⤵PID:2476