Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 03:41
Static task
static1
Behavioral task
behavioral1
Sample
cleartemp.ps1
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
cleartemp.ps1
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
cleartemp.ps1
-
Size
146KB
-
MD5
d37fc91fc835071a3438abe832fe8583
-
SHA1
f48e6bf381bbbaf9dccfd5803435aee862a64d45
-
SHA256
0b07889a65e837600a28ae2df7c2fe6aa5a5cb93440e013139d7c0829a603599
-
SHA512
411a42662eb54e9506e98d6e5e695aec58efbc2186f34764859f21824945659d20b82240836d6f36143448fd606a0aff69d1d2263189f9892b42c728d385f39b
Score
8/10
Malware Config
Signatures
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 416 powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepid process 416 powershell.exe 416 powershell.exe 416 powershell.exe 416 powershell.exe 416 powershell.exe 416 powershell.exe 416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 416 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
powershell.exepid process 416 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cleartemp.ps11⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow