Overview

overview

5

Static

static

e475114b48...db.ps1

windows7_x64

5

e475114b48...db.ps1

windows10_x64

5

Analysis

  • max time kernel
    150s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e475114b48fb4836b0d813bf67267ab564d8e48d30f324b725da409406fe36db.ps1

  • Size

    60KB

  • MD5

    e06b27212da5e1a04b918c9b9a0c3d8c

  • SHA1

    d7f82ec85d738cb42849ded21452221bbce51157

  • SHA256

    e475114b48fb4836b0d813bf67267ab564d8e48d30f324b725da409406fe36db

  • SHA512

    8f16b7cad649f8d7f2653782db8564a7545f102aaa6a02eee82b1c2a18604e6dde6461b1347e168dbdd1a787b639221dbc93fcbf278679bf4175c47aefbed1a1

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\e475114b48fb4836b0d813bf67267ab564d8e48d30f324b725da409406fe36db.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:3816
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:2960
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
            PID:2812
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:516

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/516-6-0x0000000000400000-0x000000000040A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/516-7-0x00000000004051BE-mapping.dmp
          Download
        • memory/516-8-0x0000000073150000-0x000000007383E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/516-11-0x0000000005470000-0x0000000005471000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-12-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-13-0x00000000055D0000-0x00000000055D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-14-0x0000000005510000-0x0000000005511000-memory.dmp
          Filesize

          4KB

          Download
        • memory/516-15-0x0000000005730000-0x0000000005731000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4760-2-0x00007FFAEE7E0000-0x00007FFAEF1CC000-memory.dmp
          Filesize

          9.9MB

          Download
        • memory/4760-3-0x0000028FF7400000-0x0000028FF7401000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4760-4-0x0000028FF96F0000-0x0000028FF96F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4760-5-0x0000028FF7450000-0x0000028FF7453000-memory.dmp
          Filesize

          12KB

          Download