Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 11:35
Static task
static1
Behavioral task
behavioral1
Sample
1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
2.ps1
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
2.ps1
Resource
win10v2004-20241007-en
General
-
Target
2.ps1
-
Size
257KB
-
MD5
1782325a32c0d152d2fc5f936764096b
-
SHA1
32708733721654fd7ce18a2cc5859404dd365b48
-
SHA256
e1dd619f137db33a6223900a330af2c9bb58b55b01504f142a27a4f44880a3ca
-
SHA512
592aa5ef0a6b9f746538e503d40c250122a166db9fbd37ce08607b210ecdb09d7b42c5ca898d4b7ff0b3544f202aa7a52b7704f148f66df38ae9c836468b56a4
-
SSDEEP
6144:aRQRmeIR/ENCsOFAjL3vTV8MG0NsPSSzQw6ACnfRFG5jc:wXiL7XvLw6Ak6o
Malware Config
Signatures
-
pid Process 1820 powershell.exe 2788 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1820 powershell.exe 2136 powershell.exe 2788 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2136 1820 powershell.exe 31 PID 1820 wrote to memory of 2136 1820 powershell.exe 31 PID 1820 wrote to memory of 2136 1820 powershell.exe 31 PID 1820 wrote to memory of 2788 1820 powershell.exe 33 PID 1820 wrote to memory of 2788 1820 powershell.exe 33 PID 1820 wrote to memory of 2788 1820 powershell.exe 33
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" = C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\ZVRWWLCFPWDOBNVCDRSFZL\ZVRWWLCFPWDOBNVCDRSFZL.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58c57663433b644f3f807cda1447e160c
SHA11a8f9e2ccc0ee047267c2b0ca6c69126a3c0261a
SHA2563835a443d6e207088b2f9bdeba2785c2f2ba1353ee9db52bd82dccf55b34f85e
SHA5125237ef01e75defe40c17154aa1a529978a6571716f37c5fb1c66caddfe50092462b027facbbd13156f5422b91256df18d29a48fe82e10318b2ed44d2865f45cf