Overview

overview

10

Static

static

OTSLG.ps1

windows7_x64

5

OTSLG.ps1

windows10_x64

10

dump_stage1.ps1

windows7_x64

5

dump_stage1.ps1

windows10_x64

1

dump_stage2.ps1

windows7_x64

1

dump_stage2.ps1

windows10_x64

3

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    05-12-2021 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dump_stage2.ps1

  • Size

    328KB

  • MD5

    94982d1b3f651eefb0dfe0cae15c99de

  • SHA1

    7d32816f90fd7a459b00fdaa329488e019cf8cdb

  • SHA256

    20ba4529c17660f96be2882dbbf520c0388917dd49de1ded22b063af32e35ffe

  • SHA512

    103f2e9b96394592897417352a75e05aa411ed39b88a7e24c768c9acc20e60f5572b427ee40152e55fc9c205d8a2626901524d2b2768fd439fdae8765b25ad3e

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dump_stage2.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4384
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4384 -s 1920
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4384-119-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-118-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-120-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-121-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-122-0x000001496CF50000-0x000001496CF52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-123-0x000001496CF53000-0x000001496CF55000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-124-0x000001496C9E0000-0x000001496C9E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4384-125-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-126-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-127-0x000001496D060000-0x000001496D061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4384-128-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-146-0x000001496CF56000-0x000001496CF58000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-151-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4384-152-0x000001496AE40000-0x000001496AE42000-memory.dmp
    Filesize

    8KB

    Download