General
-
Target
philerbum.ps1
-
Size
236B
-
Sample
250402-hq9zvasyaw
-
MD5
4872578532f7050afd655766822ee818
-
SHA1
feff9ef8492c31905b03407a451de67ee5d6b6db
-
SHA256
6f84b7ce7b930120199800d0ff1feecfd33ab0c94e974528745ef90a3e96db2c
-
SHA512
770f1fd5e5bebb5ff94e9bac493b1a2900e95f4becce65b66ed7ba507aa145d88e780bc5927822a8e787aa917727e1e68f103400ca6cb67f67bcbda14b1bcee0
Malware Config
Targets
-
-
Target
philerbum.ps1
-
Size
236B
-
MD5
4872578532f7050afd655766822ee818
-
SHA1
feff9ef8492c31905b03407a451de67ee5d6b6db
-
SHA256
6f84b7ce7b930120199800d0ff1feecfd33ab0c94e974528745ef90a3e96db2c
-
SHA512
770f1fd5e5bebb5ff94e9bac493b1a2900e95f4becce65b66ed7ba507aa145d88e780bc5927822a8e787aa917727e1e68f103400ca6cb67f67bcbda14b1bcee0
Score8/10-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
-
Possible privilege escalation attempt
-
Boot or Logon Autostart Execution: Print Processors
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
-
Indicator Removal: Clear Windows Event Logs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Indirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Modifies file permissions
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Modifies termsrv.dll
Commonly used to allow simultaneous RDP sessions.
-