Analysis
-
max time kernel
111s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 12:42
Static task
static1
Behavioral task
behavioral1
Sample
ev.ps1
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ev.ps1
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
ev.ps1
-
Size
1KB
-
MD5
9830264dcac9b966dcdc809527689262
-
SHA1
9733c49c7f5026d6b51683f8781b6ba27fdcc541
-
SHA256
e0a1b6e2efc496d31187a85565ed59a54b47df4f0666285d3e6bf6fc4d372f46
-
SHA512
b613a9298d1f878ae8efb1b5e790954d08e1e6ebc3aeb3b0434dc6ad54605710a56e045315a4f601cffb61285c44278b15a8ea892ded6c96aca2e11822e22650
Score
9/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
powershell.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeDebugPrivilege 1768 powershell.exe Token: SeSecurityPrivilege 1888 wevtutil.exe Token: SeBackupPrivilege 1888 wevtutil.exe Token: SeSecurityPrivilege 1896 wevtutil.exe Token: SeBackupPrivilege 1896 wevtutil.exe Token: SeSecurityPrivilege 1904 wevtutil.exe Token: SeBackupPrivilege 1904 wevtutil.exe Token: SeSecurityPrivilege 1940 wevtutil.exe Token: SeBackupPrivilege 1940 wevtutil.exe Token: SeSecurityPrivilege 1956 wevtutil.exe Token: SeBackupPrivilege 1956 wevtutil.exe Token: SeSecurityPrivilege 1968 wevtutil.exe Token: SeBackupPrivilege 1968 wevtutil.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1768 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
powershell.exedescription pid process target process PID 1768 wrote to memory of 1888 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1888 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1888 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1896 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1896 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1896 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1904 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1904 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1904 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1940 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1940 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1940 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1956 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1956 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1956 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1968 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1968 1768 powershell.exe wevtutil.exe PID 1768 wrote to memory of 1968 1768 powershell.exe wevtutil.exe -
Clears Windows event logs 1 TTPs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ev.ps11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" epl System "D:\WindowsEventLogs\AVGLFESB-System-07/12/2020 12:42:33.evtx"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" cl System2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" epl Security "D:\WindowsEventLogs\AVGLFESB-Security-07/12/2020 12:42:33.evtx"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" cl Security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" epl Application "D:\WindowsEventLogs\AVGLFESB-Application-07/12/2020 12:42:33.evtx"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" cl Application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968