Analysis

  • max time kernel
    146s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 14:06

General

  • Target

    Pericenter.ps1

  • Size

    53KB

  • MD5

    2d7a9b17a981757aeb3b8945b15bb897

  • SHA1

    7c27d9e5ce5ec9dfc5f13985769ca91698980e2a

  • SHA256

    7c7023149ea38184f67f040b8fac8f56804e7a84886678e7df8409354d3b0b7d

  • SHA512

    83370533553f6f55c644fc3b203c1e7e3572c69bc570776f0fbe79c146174fdfd3a037cf54c943222fd07d72fb0ac466b9154753adf4c5314a91ebfdbd8b2efe

  • SSDEEP

    1536:9pVgd3Kz6PAoQUUCuqfG2F9M15qJ3hLafjHcmM:9qKO4cnN59M15Ogg

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Pericenter.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1756
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4924
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2828
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2812
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:4496
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2788
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:4968
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3704
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3848
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of SendNotifyMessage
    PID:452
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:376
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4508
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Checks SCSI registry key(s)
    • Modifies registry class
    PID:1068
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3248
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

    Filesize

    471B

    MD5

    aea918d4ab089f8774d1c01eb73eafa2

    SHA1

    4ade313cebbe8a8f3cd842545a91ab432aa0466d

    SHA256

    66b3bd906042db31f6ad2a038a1354b8c36ffd8843644fd6c64dd2cabcbdb13e

    SHA512

    01dfacd8d876eea59686056ca3efb002ac2a39a6d00984f9f23dfed0fa84d6e6394d471484ce7c364dbc7ce97c39eccef464fd95d0d681da165ed014558ff843

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

    Filesize

    412B

    MD5

    f1d09fdbb544559964f3d30ba59bbd9b

    SHA1

    f506180cf8905ed06be009cee986560846ad45ac

    SHA256

    0c0b6ecce06ed722777d7f2f549ccf57f268fe764ffcb2a5370d18423c3b754e

    SHA512

    dc602fbbbb2e0a4fa8663eef421925ba6e0d05fe507dd9c80391cc9d80612a30f71fbda73d07a51325cf4640f319517d0ead1d20fd8a7aef6f2e3e14ebff1c53

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

    Filesize

    2KB

    MD5

    3bb8a8aacf483d1cf6fb96a0ff719cb0

    SHA1

    b10f52682d21e98d97055e09082c3ce29682fdfa

    SHA256

    6673dffcad674730592acec8e4a2c17c0263a476bc2a4ea4b3ee9a11586b77e8

    SHA512

    3d49d843900da99a902096e8b7d7c66cd3e5190c048bf5f63230f8cca7b37e658cfadbe50b41afbf7e7d7ec748cd50e0d451857bb4fb92f5760a4e793e6235fa

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msotd_exe_15

    Filesize

    36KB

    MD5

    f35b45b5028b3b64375cbb3fafb44044

    SHA1

    24ed8611db1e76ee699152e10be6c96c60e8a7fe

    SHA256

    848a25007192b687231de4053ef7ba80b6df0e70d52342b4b1fd4abb14ec4c25

    SHA512

    0d7ddae93245cea32af0bd89bfe9f841bf905b97464fb87aeb5158190e0a166b69a88babc7498b88eefd41838696db2c6245ea63a3d5c5d8b78e702972f765c5

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc

    Filesize

    36KB

    MD5

    eab75a01498a0489b0c35e8b7d0036e5

    SHA1

    fd80fe2630e0443d1a1cef2bdb21257f3a162f86

    SHA256

    fdf01d2265452465fcbed01f1fdd994d8cbb41a40bbb1988166604c5450ead47

    SHA512

    2ec6c4f34dcf00b6588b536f15e3fe4d98a0b663c8d2a2df06aa7cface88e072e2c2b1b9aaf4dc5a17b29023a85297f1a007ff60b5d6d0c65d1546bf0e12dd45

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133858300155398514.txt

    Filesize

    75KB

    MD5

    ccdcb8b8be32cf0ca621000e778c7586

    SHA1

    36e8c58c9d4023b8802a101342b75928957ca557

    SHA256

    7b9d91e0c5957eeb965972d20053befe1e2bc2559469f053f37f58124f595db0

    SHA512

    e955b07d58f771b4ac4549c95fc0b4cff4dda2055f75c402003fae12b5310ae1acbc1bbe5c6c574f3b91f36c2d9046c6fc34ac23d53e1b36b23d84ec7ecf29d8

  • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\56YFM8IX\microsoft.windows[1].xml

    Filesize

    97B

    MD5

    b2f782dd91f04ad756e8a01927da38eb

    SHA1

    f16050be6e126d6f62f5553a5cf4e6264c8b6ba9

    SHA256

    593cd4b6bfcc0bf3aa5fb4e9fd38f9626329c7ef479cc6f3e11b91b60d5ea07a

    SHA512

    b412bcf00f9abd23b2c57f00a035b771aa8dec90c56ab0f876bdb03c804988d1858a3a313c2b4aaf8478b16e260982af6ce382db8fd03c3f0c2cd5304e77d355

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_unqznyyo.jax.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/452-348-0x0000000004640000-0x0000000004641000-memory.dmp

    Filesize

    4KB

  • memory/1756-18-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

    Filesize

    10.8MB

  • memory/1756-19-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

    Filesize

    10.8MB

  • memory/1756-20-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

    Filesize

    10.8MB

  • memory/1756-0-0x00007FF93A373000-0x00007FF93A375000-memory.dmp

    Filesize

    8KB

  • memory/1756-15-0x00000245CC160000-0x00000245CC18A000-memory.dmp

    Filesize

    168KB

  • memory/1756-10-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

    Filesize

    10.8MB

  • memory/1756-11-0x00000245CC0A0000-0x00000245CC0C2000-memory.dmp

    Filesize

    136KB

  • memory/1756-13-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

    Filesize

    10.8MB

  • memory/1756-14-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

    Filesize

    10.8MB

  • memory/1756-12-0x00007FF93A370000-0x00007FF93AE31000-memory.dmp

    Filesize

    10.8MB

  • memory/1756-16-0x00000245CC160000-0x00000245CC184000-memory.dmp

    Filesize

    144KB

  • memory/1968-493-0x0000014B16800000-0x0000014B16820000-memory.dmp

    Filesize

    128KB

  • memory/1968-523-0x0000014B167C0000-0x0000014B167E0000-memory.dmp

    Filesize

    128KB

  • memory/1968-525-0x0000014B16BD0000-0x0000014B16BF0000-memory.dmp

    Filesize

    128KB

  • memory/2788-44-0x000001BB60C10000-0x000001BB60C30000-memory.dmp

    Filesize

    128KB

  • memory/2788-56-0x000001BB61020000-0x000001BB61040000-memory.dmp

    Filesize

    128KB

  • memory/2788-35-0x000001BB60C50000-0x000001BB60C70000-memory.dmp

    Filesize

    128KB

  • memory/2788-31-0x000001BB5FD00000-0x000001BB5FE00000-memory.dmp

    Filesize

    1024KB

  • memory/2812-29-0x0000000004020000-0x0000000004021000-memory.dmp

    Filesize

    4KB

  • memory/3848-211-0x000002540D600000-0x000002540D620000-memory.dmp

    Filesize

    128KB

  • memory/3848-234-0x000002540DA00000-0x000002540DA20000-memory.dmp

    Filesize

    128KB

  • memory/3848-203-0x000002540D640000-0x000002540D660000-memory.dmp

    Filesize

    128KB

  • memory/3848-199-0x000002540C300000-0x000002540C400000-memory.dmp

    Filesize

    1024KB

  • memory/4508-356-0x0000017DB3B70000-0x0000017DB3B90000-memory.dmp

    Filesize

    128KB

  • memory/4508-377-0x0000017DB3F40000-0x0000017DB3F60000-memory.dmp

    Filesize

    128KB

  • memory/4508-367-0x0000017DB3B30000-0x0000017DB3B50000-memory.dmp

    Filesize

    128KB

  • memory/4968-195-0x0000000000A90000-0x0000000000A91000-memory.dmp

    Filesize

    4KB