Overview

overview

8

Static

static

1

windows.ps1

windows7-x64

3

windows.ps1

windows10-2004-x64

8

Resubmissions

01-07-2024 03:56

240701-ehcgtsvhqc 3

01-07-2024 03:54

240701-eggedsyeqj 10

01-07-2024 03:52

240701-efakfsyemj 10

01-07-2024 03:51

240701-eespmsvhka 1

01-07-2024 03:50

240701-ed98asyekk 1

01-07-2024 03:43

240701-d9wt4svfqh 8

01-07-2024 03:42

240701-d9dcrsvfnf 1

Analysis

  • max time kernel
    384s
  • max time network
    362s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    windows.ps1

  • Size

    322B

  • MD5

    38181352d7fdf3fbbecc10ddfcfaddde

  • SHA1

    7917d0c3d29c549ca9993187d4161cd9b1302585

  • SHA256

    1448fa49ba79b57f6381b21b450937882f3508b3d7c906a1c80f476b7fb8bea4

  • SHA512

    cc44b3c7a9322e1314fbbb034e7d57fd557dc675eb8dbf9fbe7c9ceff4760bf6f9fa2bf05102d80f13680b9cda8b3f84db32b89a0970c7115081cb5fc0c8dede

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\windows.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3580
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4176 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4648
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
        PID:3628
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        1⤵
          PID:3052

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_by2afc5b.vyf.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • memory/3580-0-0x00007FF984463000-0x00007FF984465000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3580-10-0x00000211676C0000-0x00000211676E2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3580-11-0x00007FF984460000-0x00007FF984F21000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3580-12-0x00007FF984460000-0x00007FF984F21000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3580-13-0x00007FF984460000-0x00007FF984F21000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3580-15-0x0000021167AA0000-0x0000021167AB2000-memory.dmp
          Filesize

          72KB

          Download
        • memory/3580-16-0x0000021167730000-0x000002116773A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3580-19-0x00007FF984460000-0x00007FF984F21000-memory.dmp
          Filesize

          10.8MB

          Download