ScreenShot
| Created | 2023.05.03 09:59 | Machine | s1_win7_x6401 |
| Filename | index.html.ps1 | ||
| Type | ASCII text | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 4 detected (Malicious, score, Minerva, rluha, WebDownload) | ||
| md5 | d5ab587aaa4bf24d17ab42179b798b10 | ||
| sha256 | e6d3217f89dc53f97989f05188b19f090dbbe1510a17c31398bcfeafa2fe7cba | ||
| ssdeep | 12:SV2A9812cMnfAWn0nk79N4j0XeKceNS08Sp0NQeMRn:jABcsbbj4a/c47D8QTRn | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (24cnts)
| Level | Description |
|---|---|
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | One or more non-whitelisted processes were created |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Executes one or more WMI queries |
| notice | File has been identified by 4 AntiVirus engines on VirusTotal as malicious |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Poweshell is sending data to a remote host |
| notice | Sends data using the HTTP POST Method |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | Powershell script has download & invoke calls |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | PowerShell | PowerShell script | scripts |
| info | PowershellDI | Extract Download/Invoke calls from powershell script | scripts |
Network (6cnts) ?
Suricata ids
ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
ET HUNTING Suspicious Possible Process Dump in POST body
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
ET HUNTING Suspicious Possible Process Dump in POST body
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration