Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
05-12-2021 00:17
Static task
static1
Behavioral task
behavioral1
Sample
OTSLG.ps1
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
OTSLG.ps1
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
dump_stage1.ps1
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
dump_stage1.ps1
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
dump_stage2.ps1
Resource
win7-en-20211104
Behavioral task
behavioral6
Sample
dump_stage2.ps1
Resource
win10-en-20211104
General
-
Target
dump_stage1.ps1
-
Size
740KB
-
MD5
5cffb281fe8937f26e4994f8133f7456
-
SHA1
5479ddb635bf9c9a5632955c7d2cd2a6047256df
-
SHA256
3609272795c8f8ba1275959d1457b03f6143efaaf8cd037547cd561e68763237
-
SHA512
12418b348819ae9b9aa1115c19723cd77964273c3b0d07225971756a3ccd1061f0db891911390847d244db3acbf1b268739275a0e3fe2a41407781443a26600e
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1100 powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1612 powershell.exe 1612 powershell.exe 1612 powershell.exe 1100 powershell.exe 1100 powershell.exe 1100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeBackupPrivilege 1100 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: 36 1100 powershell.exe Token: SeImpersonatePrivilege 1100 powershell.exe Token: SeIncBasePriorityPrivilege 1100 powershell.exe Token: SeIncreaseQuotaPrivilege 1100 powershell.exe Token: 33 1100 powershell.exe Token: SeManageVolumePrivilege 1100 powershell.exe Token: SeProfSingleProcessPrivilege 1100 powershell.exe Token: SeRestorePrivilege 1100 powershell.exe Token: SeSecurityPrivilege 1100 powershell.exe Token: SeSystemProfilePrivilege 1100 powershell.exe Token: SeTakeOwnershipPrivilege 1100 powershell.exe Token: SeShutdownPrivilege 1100 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1100 1612 powershell.exe 29 PID 1612 wrote to memory of 1100 1612 powershell.exe 29 PID 1612 wrote to memory of 1100 1612 powershell.exe 29 PID 1612 wrote to memory of 1100 1612 powershell.exe 29
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dump_stage1.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\dump_stage1.ps12⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-