a524d1acb0692fc90e20548d4bea29b4996c4113420942e43addd8c5609e29a4

Analysis

max time kernel
121s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

albion.ps1
Size

2KB
MD5

be8a297796619e2e1c2a81ccd6d28273
SHA1

db12d6bde2d2caf1ab10ed8096550fa320260496
SHA256

a524d1acb0692fc90e20548d4bea29b4996c4113420942e43addd8c5609e29a4
SHA512

53163cda3c0ef665b5fbf37c9e20f0e9cc2dbe952332dc98d990f62239894f8ed318fd1e36c93fcfe200d81e690593dea7e7f0eb89c78e2858b5101f1a2047f6

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2388	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2388	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2692	AcroRd32.exe
2692	AcroRd32.exe
2692	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2692	2388	powershell.exe	32
PID 2388 wrote to memory of 2692	2388	powershell.exe	32
PID 2388 wrote to memory of 2692	2388	powershell.exe	32
PID 2388 wrote to memory of 2692	2388	powershell.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\albion.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Albion.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Albion.pdf

Filesize
68KB

MD5
18f1268260dac5fb6336c720e6be238a

SHA1
b7539159d9f3f7917db7c0f267f4980c79322e9f

SHA256
b7612517337a7a3678e7f138dab36cd8a42e843f0536c0ccb74a2b0aa2224505

SHA512
2f593d48d0dc9fd32bd53f877e7047dda386bac7566bca414bf291162da155960a6955a19999b91c5a8e2afd7e6ce7f73c9001870111c46833d60eff511f7a1e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
efe098dbd6ff4c7cea84e2775367cc1c

SHA1
a56d7f89b360e1f5d72c222a2c8c138eab45eca5

SHA256
2038eb0de79e0fcb8935f5351316da957dbe64cd2e83f1f80428c4428459028a

SHA512
96950bbe1e559e674d3248da0380d8126ba0a6243ad5c28ae904dffa8ceda1e1f785bea95e42dea6bb574c4f9c1ddab38455653a19954d95bf5af1d135ef55b0

Download Submit
memory/2388-4-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp

Filesize
4KB

Download
memory/2388-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2388-7-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2388-8-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-10-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-9-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-11-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-15-0x000007FEF5BDE000-0x000007FEF5BDF000-memory.dmp

Filesize
4KB

Download
memory/2388-31-0x000007FEF5920000-0x000007FEF62BD000-memory.dmp

Filesize
9.6MB

Download