Overview

overview

3

Static

static

3090bff3d1...80.ps1

windows7_x64

3

3090bff3d1...80.ps1

windows10_x64

1

Resubmissions

17-09-2020 15:35

200917-35p4dy1zb6 10

17-09-2020 15:29

200917-77hjbe43r6 3

Analysis

  • max time kernel
    133s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    17-09-2020 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1

  • Size

    1.4MB

  • MD5

    d87fcd8d2bf450b0056a151e9a116f72

  • SHA1

    48cb6bdbe092e5a90c778114b2dda43ce3221c9f

  • SHA256

    3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80

  • SHA512

    61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4615.tmp" "c:\Users\Admin\AppData\Local\Temp\p55l3ixk\CSC867CC9E196254607BA18F6A5DD63143F.TMP"
        3⤵
          PID:1844
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1352
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES672C.tmp" "c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\CSC82C3CB0A8B24C439B3ECE1423DB5587.TMP"
            4⤵
              PID:852
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1580
            3⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:976

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES4615.tmp
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES672C.tmp
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.dll
        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.dll
        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\CSC82C3CB0A8B24C439B3ECE1423DB5587.TMP
        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.0.cs
        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.cmdline
        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\p55l3ixk\CSC867CC9E196254607BA18F6A5DD63143F.TMP
        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.0.cs
        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.cmdline
        Download Submit

      • memory/852-47-0x0000000000000000-mapping.dmp

        Download

      • memory/976-52-0x0000000000000000-mapping.dmp

        Download

      • memory/976-53-0x0000000001E30000-0x0000000001E41000-memory.dmp

        Filesize

        68KB

        Download

      • memory/976-68-0x0000000002740000-0x0000000002751000-memory.dmp

        Filesize

        68KB

        Download

      • memory/976-69-0x0000000002740000-0x0000000002751000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1184-13-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1184-0-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1184-5-0x000000001C250000-0x000000001C251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1184-4-0x00000000022D0000-0x00000000022D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1184-3-0x0000000002500000-0x0000000002501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1184-2-0x000000001AC30000-0x000000001AC31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1184-1-0x0000000001F30000-0x0000000001F31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1352-44-0x0000000000000000-mapping.dmp

        Download

      • memory/1844-9-0x0000000000000000-mapping.dmp

        Download

      • memory/1860-6-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-56-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-27-0x00000000062C0000-0x00000000062C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-57-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-58-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-18-0x0000000002560000-0x0000000002561000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-17-0x0000000004A10000-0x0000000004A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-16-0x00000000024B0000-0x00000000024B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-51-0x0000000006640000-0x0000000006641000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-15-0x0000000072D30000-0x000000007341E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1960-14-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-54-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-55-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-41-0x0000000006550000-0x0000000006551000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-32-0x0000000006310000-0x0000000006311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-19-0x00000000049A0000-0x00000000049A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-59-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-60-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-61-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-62-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-63-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-64-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-65-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-66-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-67-0x0000000000000000-mapping.dmp

        Download

      • memory/1960-33-0x0000000006480000-0x0000000006481000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1960-40-0x0000000006530000-0x0000000006531000-memory.dmp

        Filesize

        4KB

        Download