Overview

overview

6

Static

static

nlOiE.jpg.ps1

windows7_x64

1

nlOiE.jpg.ps1

windows10_x64

6

Resubmissions

13-01-2021 08:15

210113-c1g9srxafs 6

12-01-2021 06:28

210112-q7pndqt7qn 6

Analysis

  • max time kernel
    25s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-01-2021 06:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nlOiE.jpg.ps1

  • Size

    745KB

  • MD5

    a20b49ae1d1200c84a0344f5ad3353dd

  • SHA1

    3c4e0a61b36c90603d540d83471ab07efe330055

  • SHA256

    2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e

  • SHA512

    1e80bf08e024d86792c680cf12fc53c6e7fe52d1c1a02c990ce46cda410c4dab6840912b4894cd97f3cf74dfa401bd56eba43187f14fe1735c133fc6bea9f5da

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nlOiE.jpg.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/192-13-0x0000000005090000-0x0000000005091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/192-12-0x0000000005590000-0x0000000005591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/192-17-0x00000000064D0000-0x00000000064D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/192-16-0x0000000006160000-0x0000000006161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/192-15-0x0000000005D90000-0x0000000005D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/192-7-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/192-9-0x0000000073AD0000-0x00000000741BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/192-8-0x00000000004581CE-mapping.dmp
    Download
  • memory/192-14-0x0000000005230000-0x0000000005231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/884-2-0x00007FFA6B300000-0x00007FFA6BCEC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/884-3-0x000002AB78910000-0x000002AB78911000-memory.dmp
    Filesize

    4KB

    Download
  • memory/884-6-0x000002AB789A0000-0x000002AB789A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/884-5-0x000002AB78990000-0x000002AB78997000-memory.dmp
    Filesize

    28KB

    Download
  • memory/884-4-0x000002AB78F60000-0x000002AB78F61000-memory.dmp
    Filesize

    4KB

    Download