4dcca5d3269eb44f3cf7af62c0da3b6acab67eb758c9fb2f5cc5b1d13a7286f7

Analysis

max time kernel
133s
max time network
137s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

osnova.ps1
Size

2KB
MD5

5e68cbe68666c656fb39e21bfca5cea4
SHA1

837976c146b02d48ccd9c23d0edc4327533854c5
SHA256

4dcca5d3269eb44f3cf7af62c0da3b6acab67eb758c9fb2f5cc5b1d13a7286f7
SHA512

d5addc542ce04d4a4f90e313b70a8c04d41406e8a6983b6c489d24d316bfafb922cfec848efa87155634b5cda7485bde17c9ad5af2fccb22bc6dff409486ba3d

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1736	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1736	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2168	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2168	AcroRd32.exe
2168	AcroRd32.exe
2168	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2168	1736	powershell.exe	31
PID 1736 wrote to memory of 2168	1736	powershell.exe	31
PID 1736 wrote to memory of 2168	1736	powershell.exe	31
PID 1736 wrote to memory of 2168	1736	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\osnova.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1710407310845.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1710407310845.pdf

Filesize
2.4MB

MD5
c5b1f05e8ea15a8dd4c961850615d58b

SHA1
e6c5d429c7c30f23e063b795780c5d55a16ea467

SHA256
a7e617783d7f1b0079c605126fba074ee7ee431077cd97d391e41f364a0afe1b

SHA512
45e1cca8765231e952577d68d54d2efea7ad9d00e61927f32ffa215338f3856e52c426253edae302fecdbf98303f018acde0f64b811813a34a65261ac717c944

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
71c8b7ab690d2254fb1e188b01dc7ed1

SHA1
5a56637ca0038aed659540f4035bcc96073d7bce

SHA256
33cd82743dfe3cd90d6e2e9e3b66e09d7c73a1c3cb1d0f0df75099a715cd53d2

SHA512
858a0752231e6c7af09395fc42b7c398d792ed1078e080f8560022e2e9af66b06791fea21ef3b9573773df3ebd256e42cb3ded66b5d836229da61a3bb98c0c90

Download Submit
memory/1736-10-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-6-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/1736-8-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-9-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-4-0x000007FEF53CE000-0x000007FEF53CF000-memory.dmp

Filesize
4KB

Download
memory/1736-11-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-13-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-14-0x000007FEF53CE000-0x000007FEF53CF000-memory.dmp

Filesize
4KB

Download
memory/1736-15-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-7-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1736-5-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1736-34-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download