Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
03-05-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
virus11.ps1
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
virus11.ps1
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
virus11.ps1
-
Size
14KB
-
MD5
102f6e180a2f67c7cff24e4e47e319e3
-
SHA1
413906407b384e6a2221c31631271686dd4dc8fd
-
SHA256
1ec71f936075a6b54858d0ca24538bfe6e74c1f37eec5d9ee065f5ebe12d5ab5
-
SHA512
589f74c995c9277a54b63b9d7111afd7f85aa535e4b99f02710c8ce333364a4cfd79019809814706de8cdcb88b95c14292c69c1e3a42154e08e4363fd7400128
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 12 IoCs
Processes:
powershell.exeflow pid process 7 1748 powershell.exe 9 1748 powershell.exe 10 1748 powershell.exe 11 1748 powershell.exe 12 1748 powershell.exe 13 1748 powershell.exe 14 1748 powershell.exe 15 1748 powershell.exe 16 1748 powershell.exe 17 1748 powershell.exe 18 1748 powershell.exe 20 1748 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\NS12 = "C:\\Users\\Admin\\AppData\\Roaming\\MSI\\WPSHost.exe" powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1748 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1748 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\virus11.ps11⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1748-59-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmpFilesize
8KB
-
memory/1748-60-0x0000000001DE0000-0x0000000001DE1000-memory.dmpFilesize
4KB
-
memory/1748-61-0x000000001AD20000-0x000000001AD21000-memory.dmpFilesize
4KB
-
memory/1748-62-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/1748-63-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/1748-64-0x000000001ACA0000-0x000000001ACA2000-memory.dmpFilesize
8KB
-
memory/1748-65-0x000000001ACA4000-0x000000001ACA6000-memory.dmpFilesize
8KB
-
memory/1748-66-0x000000001ABB0000-0x000000001ABB1000-memory.dmpFilesize
4KB
-
memory/1748-67-0x000000001B7F0000-0x000000001B7F1000-memory.dmpFilesize
4KB
-
memory/1748-68-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1748-71-0x000000001AA30000-0x000000001AA31000-memory.dmpFilesize
4KB
-
memory/1748-83-0x000000001A9E0000-0x000000001A9E1000-memory.dmpFilesize
4KB
-
memory/1748-84-0x000000001AC40000-0x000000001AC41000-memory.dmpFilesize
4KB
-
memory/1748-85-0x000000001ACAA000-0x000000001ACC9000-memory.dmpFilesize
124KB