Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 11:35

General

  • Target

    2.ps1

  • Size

    257KB

  • MD5

    1782325a32c0d152d2fc5f936764096b

  • SHA1

    32708733721654fd7ce18a2cc5859404dd365b48

  • SHA256

    e1dd619f137db33a6223900a330af2c9bb58b55b01504f142a27a4f44880a3ca

  • SHA512

    592aa5ef0a6b9f746538e503d40c250122a166db9fbd37ce08607b210ecdb09d7b42c5ca898d4b7ff0b3544f202aa7a52b7704f148f66df38ae9c836468b56a4

  • SSDEEP

    6144:aRQRmeIR/ENCsOFAjL3vTV8MG0NsPSSzQw6ACnfRFG5jc:wXiL7XvLw6Ak6o

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" = C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.ps1'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    8c57663433b644f3f807cda1447e160c

    SHA1

    1a8f9e2ccc0ee047267c2b0ca6c69126a3c0261a

    SHA256

    3835a443d6e207088b2f9bdeba2785c2f2ba1353ee9db52bd82dccf55b34f85e

    SHA512

    5237ef01e75defe40c17154aa1a529978a6571716f37c5fb1c66caddfe50092462b027facbbd13156f5422b91256df18d29a48fe82e10318b2ed44d2865f45cf

  • memory/1820-10-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1820-19-0x000007FEF544E000-0x000007FEF544F000-memory.dmp

    Filesize

    4KB

  • memory/1820-7-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1820-8-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1820-9-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1820-4-0x000007FEF544E000-0x000007FEF544F000-memory.dmp

    Filesize

    4KB

  • memory/1820-5-0x000000001B780000-0x000000001BA62000-memory.dmp

    Filesize

    2.9MB

  • memory/1820-27-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1820-21-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1820-18-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/1820-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

    Filesize

    32KB

  • memory/1820-20-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/2136-17-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB

  • memory/2136-16-0x000007FEF5190000-0x000007FEF5B2D000-memory.dmp

    Filesize

    9.6MB