Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
05-12-2021 00:17
Static task
static1
Behavioral task
behavioral1
Sample
OTSLG.ps1
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
OTSLG.ps1
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
dump_stage1.ps1
Resource
win7-en-20211104
Behavioral task
behavioral4
Sample
dump_stage1.ps1
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
dump_stage2.ps1
Resource
win7-en-20211104
Behavioral task
behavioral6
Sample
dump_stage2.ps1
Resource
win10-en-20211104
General
-
Target
dump_stage2.ps1
-
Size
328KB
-
MD5
94982d1b3f651eefb0dfe0cae15c99de
-
SHA1
7d32816f90fd7a459b00fdaa329488e019cf8cdb
-
SHA256
20ba4529c17660f96be2882dbbf520c0388917dd49de1ded22b063af32e35ffe
-
SHA512
103f2e9b96394592897417352a75e05aa411ed39b88a7e24c768c9acc20e60f5572b427ee40152e55fc9c205d8a2626901524d2b2768fd439fdae8765b25ad3e
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4416 4384 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4384 powershell.exe 4384 powershell.exe 4384 powershell.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4384 powershell.exe Token: SeDebugPrivilege 4416 WerFault.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dump_stage2.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4384 -s 19202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-