ScreenShot
| Created | 2023.12.13 20:13 | Machine | s1_win7_x6403 |
| Filename | paste.ps1 | ||
| Type | ASCII text, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 19 detected (PowerShell, GenericKD, Malcode, CoinMiner, Malicious, score, Kqil, PShell, Miner, Detected, 50Q0HJ, ai score=87) | ||
| md5 | baeee25ebf0efeec414dce64b9e7aca7 | ||
| sha256 | 7282ddc11761e37ba18b13c7ad78e64215d43964d65570ce97f930194f85736d | ||
| ssdeep | 24:4f+Wq2P+Wlwo1dRSBA1PLVpB+dNH5HwYMFAwRjV5L5k3px3SewCTtTnPTO8wYZJ:urbrbNLVpGNZQ1AwRjX9E5rOFYX | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | The process powershell.exe wrote an executable file to disk which it then attempted to execute |
| watch | Communicates with host for which no DNS query was performed |
| watch | Connects to an IRC server |
| watch | Created a service where a service was also not started |
| watch | Detects Virtual Machines through their custom firmware |
| watch | Drops a binary and executes it |
| watch | File has been identified by 19 AntiVirus engines on VirusTotal as malicious |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe |
| watch | One or more non-whitelisted processes were created |
| watch | One or more of the buffers contains an embedded PE file |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Executes one or more WMI queries |
| notice | One or more potentially interesting buffers were extracted |
| notice | Poweshell is sending data to a remote host |
| notice | URL downloaded by powershell script |
| notice | Uses Windows utilities for basic Windows functionality |
| info | Checks amount of memory in system |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (9cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | XMRig_Miner_IN | XMRig Miner | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | IsPE64 | (no description) | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
Network (5cnts) ?
Suricata ids
ET INFO Dotted Quad Host RAR Request
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY Cryptocurrency Miner Checkin
ET POLICY Executable and linking format (ELF) file download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET POLICY Cryptocurrency Miner Checkin
ET POLICY Executable and linking format (ELF) file download