2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e

Resubmissions

13-01-2021 08:15

210113-c1g9srxafs 6

12-01-2021 06:28

210112-q7pndqt7qn 6

Analysis

max time kernel
8s
max time network
11s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nlOiE.jpg.ps1
Size

745KB
MD5

a20b49ae1d1200c84a0344f5ad3353dd
SHA1

3c4e0a61b36c90603d540d83471ab07efe330055
SHA256

2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e
SHA512

1e80bf08e024d86792c680cf12fc53c6e7fe52d1c1a02c990ce46cda410c4dab6840912b4894cd97f3cf74dfa401bd56eba43187f14fe1735c133fc6bea9f5da

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe

pid	process
596	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe
596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 596 powershell.exe

description	pid	process
Token: SeDebugPrivilege	596	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 596 wrote to memory of 1628	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1628	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1628	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1628	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 336	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 336	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 336	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 336	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 840	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 840	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 840	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 840	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1204	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1204	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1204	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1204	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1624	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1624	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1624	596	powershell.exe	MSBuild.exe
PID 596 wrote to memory of 1624	596	powershell.exe	MSBuild.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nlOiE.jpg.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1624

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/596-2-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/596-3-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/596-4-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/596-5-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/596-6-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/596-7-0x000000001C1E0000-0x000000001C1E1000-memory.dmp

Filesize
4KB

Download
memory/596-8-0x00000000023B0000-0x00000000023B7000-memory.dmp

Filesize
28KB

Download
memory/596-9-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads