Analysis
-
max time kernel
133s -
max time network
9s -
platform
windows7_x64 -
resource
win7 -
submitted
17-09-2020 15:29
Static task
static1
Behavioral task
behavioral1
Sample
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
-
Size
1.4MB
-
MD5
d87fcd8d2bf450b0056a151e9a116f72
-
SHA1
48cb6bdbe092e5a90c778114b2dda43ce3221c9f
-
SHA256
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
-
SHA512
61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 976 1960 WerFault.exe 31 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1184 powershell.exe 1184 powershell.exe 1960 powershell.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe 976 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 976 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 976 WerFault.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1184 wrote to memory of 1860 1184 powershell.exe 29 PID 1184 wrote to memory of 1860 1184 powershell.exe 29 PID 1184 wrote to memory of 1860 1184 powershell.exe 29 PID 1860 wrote to memory of 1844 1860 csc.exe 30 PID 1860 wrote to memory of 1844 1860 csc.exe 30 PID 1860 wrote to memory of 1844 1860 csc.exe 30 PID 1184 wrote to memory of 1960 1184 powershell.exe 31 PID 1184 wrote to memory of 1960 1184 powershell.exe 31 PID 1184 wrote to memory of 1960 1184 powershell.exe 31 PID 1184 wrote to memory of 1960 1184 powershell.exe 31 PID 1960 wrote to memory of 1352 1960 powershell.exe 33 PID 1960 wrote to memory of 1352 1960 powershell.exe 33 PID 1960 wrote to memory of 1352 1960 powershell.exe 33 PID 1960 wrote to memory of 1352 1960 powershell.exe 33 PID 1352 wrote to memory of 852 1352 csc.exe 34 PID 1352 wrote to memory of 852 1352 csc.exe 34 PID 1352 wrote to memory of 852 1352 csc.exe 34 PID 1352 wrote to memory of 852 1352 csc.exe 34 PID 1960 wrote to memory of 976 1960 powershell.exe 35 PID 1960 wrote to memory of 976 1960 powershell.exe 35 PID 1960 wrote to memory of 976 1960 powershell.exe 35 PID 1960 wrote to memory of 976 1960 powershell.exe 35
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4615.tmp" "c:\Users\Admin\AppData\Local\Temp\p55l3ixk\CSC867CC9E196254607BA18F6A5DD63143F.TMP"3⤵PID:1844
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES672C.tmp" "c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\CSC82C3CB0A8B24C439B3ECE1423DB5587.TMP"4⤵PID:852
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 15803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:976
-
-