Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-12-2021 13:54
Static task
static1
Behavioral task
behavioral1
Sample
OTSLG.ps1
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
OTSLG.ps1
Resource
win10-en-20211104
windows10_x64
0 signatures
0 seconds
General
-
Target
OTSLG.ps1
-
Size
915KB
-
MD5
001bfe6f72fe64660ba498107c658bdc
-
SHA1
0946baf23e867f2564302b60f777db72a1244a30
-
SHA256
c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da
-
SHA512
32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1408 powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1664 powershell.exe 1664 powershell.exe 1664 powershell.exe 1408 powershell.exe 1408 powershell.exe 1408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeBackupPrivilege 1408 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: 36 1408 powershell.exe Token: SeImpersonatePrivilege 1408 powershell.exe Token: SeIncBasePriorityPrivilege 1408 powershell.exe Token: SeIncreaseQuotaPrivilege 1408 powershell.exe Token: 33 1408 powershell.exe Token: SeManageVolumePrivilege 1408 powershell.exe Token: SeProfSingleProcessPrivilege 1408 powershell.exe Token: SeRestorePrivilege 1408 powershell.exe Token: SeSecurityPrivilege 1408 powershell.exe Token: SeSystemProfilePrivilege 1408 powershell.exe Token: SeTakeOwnershipPrivilege 1408 powershell.exe Token: SeShutdownPrivilege 1408 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1664 wrote to memory of 1408 1664 powershell.exe 29 PID 1664 wrote to memory of 1408 1664 powershell.exe 29 PID 1664 wrote to memory of 1408 1664 powershell.exe 29 PID 1664 wrote to memory of 1408 1664 powershell.exe 29
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\OTSLG.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\OTSLG.ps12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-