Overview

overview

6

Static

static

nlOiE.jpg.ps1

windows7_x64

1

nlOiE.jpg.ps1

windows10_x64

6

Resubmissions

13-01-2021 08:15

210113-c1g9srxafs 6

12-01-2021 06:28

210112-q7pndqt7qn 6

Analysis

  • max time kernel
    136s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nlOiE.jpg.ps1

  • Size

    745KB

  • MD5

    a20b49ae1d1200c84a0344f5ad3353dd

  • SHA1

    3c4e0a61b36c90603d540d83471ab07efe330055

  • SHA256

    2834d72111e621f895420cd798a08fd8da8371c1062eb0b9bbc7446d7212804e

  • SHA512

    1e80bf08e024d86792c680cf12fc53c6e7fe52d1c1a02c990ce46cda410c4dab6840912b4894cd97f3cf74dfa401bd56eba43187f14fe1735c133fc6bea9f5da

Score
6/10

Malware Config

Signatures

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nlOiE.jpg.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/644-2-0x00007FFC34C00000-0x00007FFC355EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/644-3-0x00000292206B0000-0x00000292206B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-4-0x000002923B1C0000-0x000002923B1C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-5-0x000002921EE80000-0x000002921EE87000-memory.dmp
    Filesize

    28KB

    Download
  • memory/644-6-0x00000292206E0000-0x00000292206E8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3780-7-0x0000000000400000-0x000000000045E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/3780-8-0x00000000004581CE-mapping.dmp
    Download
  • memory/3780-9-0x0000000073E60000-0x000000007454E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3780-12-0x0000000005860000-0x0000000005861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-13-0x0000000005360000-0x0000000005361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-14-0x0000000005530000-0x0000000005531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-15-0x0000000006080000-0x0000000006081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-16-0x0000000006450000-0x0000000006451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-17-0x00000000067D0000-0x00000000067D1000-memory.dmp
    Filesize

    4KB

    Download