Overview

overview

10

Static

static

load.ps1

windows7_x64

10

load.ps1

windows10_x64

1

Analysis

  • max time kernel
    20s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08/03/2021, 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    load.ps1

  • Size

    1.4MB

  • MD5

    09a05a2212bd2c0fe0e2881401fbff17

  • SHA1

    fbb6f8dae1753cd2a282ee161bc5496486cc06f7

  • SHA256

    b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735

  • SHA512

    8d0dd3a7d6adaa690a3f7625a573b8c50cfa9d40fa17836b7e8ab8a10bfe67f4eaf0720cedda0c1d2986e7e70770a097ad8af2a9e24ccd595514a0384cbc275f

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\load.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxhmkihl\uxhmkihl.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EAE.tmp" "c:\Users\Admin\AppData\Local\Temp\uxhmkihl\CSC820FB15764874525962D4247456A1CCC.TMP"
        3⤵
          PID:2500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\load.ps1"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:788
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dlscpl5c\dlscpl5c.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84C6.tmp" "c:\Users\Admin\AppData\Local\Temp\dlscpl5c\CSC4E9B62F4A8434C05898A355F0C1E886.TMP"
            4⤵
              PID:4068
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:3628

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/672-6-0x00000172A2E03000-0x00000172A2E05000-memory.dmp

          Filesize

          8KB

          Download

        • memory/672-15-0x00000172A5140000-0x00000172A5141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/672-10-0x00000172A2E06000-0x00000172A2E08000-memory.dmp

          Filesize

          8KB

          Download

        • memory/672-2-0x00007FF8522D0000-0x00007FF852CBC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/672-5-0x00000172A2E00000-0x00000172A2E02000-memory.dmp

          Filesize

          8KB

          Download

        • memory/672-4-0x00000172A51A0000-0x00000172A51A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/672-3-0x00000172A4F10000-0x00000172A4F11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-22-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-23-0x0000000004E60000-0x0000000004E61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-24-0x0000000004E62000-0x0000000004E63000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-25-0x0000000007E40000-0x0000000007E41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-20-0x00000000073F0000-0x00000000073F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-27-0x0000000008190000-0x0000000008191000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-28-0x00000000084D0000-0x00000000084D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-29-0x00000000083F0000-0x00000000083F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-30-0x000000000CC80000-0x000000000CC81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-31-0x000000000C230000-0x000000000C231000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-41-0x0000000000400000-0x000000000042D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/788-19-0x0000000007550000-0x0000000007551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-18-0x0000000004E00000-0x0000000004E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-40-0x0000000000960000-0x0000000000961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-17-0x00000000736C0000-0x0000000073DAE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/788-21-0x0000000007490000-0x0000000007491000-memory.dmp

          Filesize

          4KB

          Download

        • memory/788-39-0x000000000C250000-0x000000000C251000-memory.dmp

          Filesize

          4KB

          Download