Analysis
-
max time kernel
103s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
19-01-2022 11:27
Static task
static1
Behavioral task
behavioral1
Sample
srv.ps1
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
srv.ps1
-
Size
3.6MB
-
MD5
bdfc70e3237617d7a4509e9a857234eb
-
SHA1
7b1e093f630ded929fefe02c554d09a1a9d13c54
-
SHA256
d96de808e92e4d42e93180be95ec52fbe490c506cd839365e71cb7168df6bfbd
-
SHA512
5bdde5d55b60e7ba1fb448bf95dd45feb2936ebaf53f5a78fa8272b522836d21a884ec5db523d09605f565d382e0015ee055de1976a3093defcc162d43abd857
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
learnatallcost2.ddns.net:9050
Attributes
-
communication_password
4a3e00961a08879c34f91ca0070ea2f5
-
tor_process
tor
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2072-140-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2072-142-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/2072-143-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
aspnet_compiler.exepid process 2072 aspnet_compiler.exe 2072 aspnet_compiler.exe 2072 aspnet_compiler.exe 2072 aspnet_compiler.exe 2072 aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1216 set thread context of 2072 1216 powershell.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepid process 1216 powershell.exe 1216 powershell.exe 1216 powershell.exe 1216 powershell.exe 1216 powershell.exe 1216 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeaspnet_compiler.exesvchost.exedescription pid process Token: SeDebugPrivilege 1216 powershell.exe Token: SeShutdownPrivilege 2072 aspnet_compiler.exe Token: SeSystemtimePrivilege 3544 svchost.exe Token: SeSystemtimePrivilege 3544 svchost.exe Token: SeIncBasePriorityPrivilege 3544 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
aspnet_compiler.exepid process 2072 aspnet_compiler.exe 2072 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
powershell.exedescription pid process target process PID 1216 wrote to memory of 224 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 224 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 224 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 1740 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 1740 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 1740 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 2072 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 2072 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 2072 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 2072 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 2072 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 2072 1216 powershell.exe aspnet_compiler.exe PID 1216 wrote to memory of 2072 1216 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\srv.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1216-134-0x000002021D170000-0x000002021D192000-memory.dmpFilesize
136KB
-
memory/1216-135-0x00000202357C0000-0x00000202357C2000-memory.dmpFilesize
8KB
-
memory/1216-136-0x00000202357C3000-0x00000202357C5000-memory.dmpFilesize
8KB
-
memory/1216-139-0x00000202357C6000-0x00000202357C8000-memory.dmpFilesize
8KB
-
memory/2072-140-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/2072-142-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/2072-143-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB