Analysis
-
max time kernel
54s -
max time network
94s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
17-09-2020 15:29
Static task
static1
Behavioral task
behavioral1
Sample
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
-
Size
1.4MB
-
MD5
d87fcd8d2bf450b0056a151e9a116f72
-
SHA1
48cb6bdbe092e5a90c778114b2dda43ce3221c9f
-
SHA256
3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
-
SHA512
61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 3376 powershell.exe 3376 powershell.exe 3376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 3376 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2096 wrote to memory of 3988 2096 powershell.exe 73 PID 2096 wrote to memory of 3988 2096 powershell.exe 73 PID 3988 wrote to memory of 3708 3988 csc.exe 74 PID 3988 wrote to memory of 3708 3988 csc.exe 74 PID 2096 wrote to memory of 3376 2096 powershell.exe 75 PID 2096 wrote to memory of 3376 2096 powershell.exe 75 PID 2096 wrote to memory of 3376 2096 powershell.exe 75 PID 3376 wrote to memory of 1596 3376 powershell.exe 80 PID 3376 wrote to memory of 1596 3376 powershell.exe 80 PID 3376 wrote to memory of 1596 3376 powershell.exe 80 PID 1596 wrote to memory of 3260 1596 csc.exe 81 PID 1596 wrote to memory of 3260 1596 csc.exe 81 PID 1596 wrote to memory of 3260 1596 csc.exe 81
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3litlsg5\3litlsg5.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6111.tmp" "c:\Users\Admin\AppData\Local\Temp\3litlsg5\CSCFD6B1E76B1A8471F854223D392347.TMP"3⤵PID:3708
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqrrdj5q\jqrrdj5q.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB4E.tmp" "c:\Users\Admin\AppData\Local\Temp\jqrrdj5q\CSC17F96824681E41E58A41E252ACA9FD39.TMP"4⤵PID:3260
-
-
-