Analysis
-
max time kernel
150s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 06:28
Static task
static1
Behavioral task
behavioral1
Sample
nlOiE.jpg.ps1
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
nlOiE.jpg.ps1
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
nlOiE.jpg.ps1
-
Size
745KB
-
MD5
a20b49ae1d1200c84a0344f5ad3353dd
-
SHA1
3c4e0a61b36c90603d540d83471ab07efe330055
-
SHA256
2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e
-
SHA512
1e80bf08e024d86792c680cf12fc53c6e7fe52d1c1a02c990ce46cda410c4dab6840912b4894cd97f3cf74dfa401bd56eba43187f14fe1735c133fc6bea9f5da
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1408 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1068 1408 powershell.exe 30 PID 1408 wrote to memory of 1068 1408 powershell.exe 30 PID 1408 wrote to memory of 1068 1408 powershell.exe 30 PID 1408 wrote to memory of 1068 1408 powershell.exe 30 PID 1408 wrote to memory of 1672 1408 powershell.exe 32 PID 1408 wrote to memory of 1672 1408 powershell.exe 32 PID 1408 wrote to memory of 1672 1408 powershell.exe 32 PID 1408 wrote to memory of 1672 1408 powershell.exe 32 PID 1408 wrote to memory of 764 1408 powershell.exe 31 PID 1408 wrote to memory of 764 1408 powershell.exe 31 PID 1408 wrote to memory of 764 1408 powershell.exe 31 PID 1408 wrote to memory of 764 1408 powershell.exe 31 PID 1408 wrote to memory of 368 1408 powershell.exe 33 PID 1408 wrote to memory of 368 1408 powershell.exe 33 PID 1408 wrote to memory of 368 1408 powershell.exe 33 PID 1408 wrote to memory of 368 1408 powershell.exe 33 PID 1408 wrote to memory of 544 1408 powershell.exe 34 PID 1408 wrote to memory of 544 1408 powershell.exe 34 PID 1408 wrote to memory of 544 1408 powershell.exe 34 PID 1408 wrote to memory of 544 1408 powershell.exe 34
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nlOiE.jpg.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:1068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:1672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:544
-