2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e

Resubmissions

13-01-2021 08:15

210113-c1g9srxafs 6

12-01-2021 06:28

210112-q7pndqt7qn 6

Analysis

max time kernel
150s
max time network
91s
platform
windows7_x64
resource
win7v20201028
submitted
12-01-2021 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nlOiE.jpg.ps1
Size

745KB
MD5

a20b49ae1d1200c84a0344f5ad3353dd
SHA1

3c4e0a61b36c90603d540d83471ab07efe330055
SHA256

2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e
SHA512

1e80bf08e024d86792c680cf12fc53c6e7fe52d1c1a02c990ce46cda410c4dab6840912b4894cd97f3cf74dfa401bd56eba43187f14fe1735c133fc6bea9f5da

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe

pid	process
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe
1408	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1408 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1408 wrote to memory of 1068	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 1068	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 1068	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 1068	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 1672	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 1672	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 1672	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 1672	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 764	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 764	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 764	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 764	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 368	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 368	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 368	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 368	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 544	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 544	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 544	1408	powershell.exe	MSBuild.exe
PID 1408 wrote to memory of 544	1408	powershell.exe	MSBuild.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nlOiE.jpg.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:544

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-2-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp

Filesize
9.9MB

Download
memory/1408-3-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/1408-4-0x000000001ACB0000-0x000000001ACB1000-memory.dmp

Filesize
4KB

Download
memory/1408-5-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1408-6-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/1408-7-0x000000001C4F0000-0x000000001C4F1000-memory.dmp

Filesize
4KB

Download
memory/1408-8-0x0000000002580000-0x0000000002587000-memory.dmp

Filesize
28KB

Download
memory/1408-9-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads