Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 02:39

General

  • Target

    3b8fc9046c06420b3382cf851595370e4bb75ad0330c44515ad6bedb286dbfc7.ps1

  • Size

    2.0MB

  • MD5

    4e71954ab5a47de9f74938dc0cd3c84f

  • SHA1

    781b4cffead59d083d301c7eec7d55250b5a4317

  • SHA256

    3b8fc9046c06420b3382cf851595370e4bb75ad0330c44515ad6bedb286dbfc7

  • SHA512

    3a44a383686308352a5499d21a30317c61ea8caa81145001af22f5de536a2f3e73da43fafca53696be3923e86bb8780e5b503c3e5f379c1407362fca3909cd80

  • SSDEEP

    24576:bSgmuyXfET5YN3b2LLG1z/7E4/KpdMJczdsrbIm:biMSNKLq1zjAU

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3b8fc9046c06420b3382cf851595370e4bb75ad0330c44515ad6bedb286dbfc7.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn 3losh /tr AutoHotkey64.exe /sc minute /mo 2 /st 02:41 /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2820
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AC2FD419-98C3-4519-A4AA-9EF85799D916} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    1⤵
      PID:3036

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1716-4-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

      Filesize

      4KB

    • memory/1716-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

      Filesize

      2.9MB

    • memory/1716-7-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

    • memory/1716-6-0x0000000002390000-0x0000000002398000-memory.dmp

      Filesize

      32KB

    • memory/1716-9-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

    • memory/1716-8-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

    • memory/1716-11-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

    • memory/1716-10-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

    • memory/1716-12-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB

    • memory/1716-13-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

      Filesize

      9.6MB