Overview

overview

10

Static

static

10

39d174e680...fc.ps1

windows7_x64

10

39d174e680...fc.ps1

windows10-2004_x64

8

Analysis

  • max time kernel
    127s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39d174e6804c39591668d4e999341c14692f570e76afb1a0eafca31b04e301fc.ps1

  • Size

    273KB

  • MD5

    e7df91ac5f161f54e3fafe18e92f528b

  • SHA1

    b441934c695c87b462cc27dbce9910bfec8b7b61

  • SHA256

    39d174e6804c39591668d4e999341c14692f570e76afb1a0eafca31b04e301fc

  • SHA512

    6c3511be6abdcec26f22af4f5cdab818f00e9108802106874c6c8c25cf0d4a886ded1d0f17531535d60d15ef7f4bfb5e7c04dbe7599ca75abf7c7a846c3db091

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\39d174e6804c39591668d4e999341c14692f570e76afb1a0eafca31b04e301fc.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3436
    • \??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
      "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    8b350c55014017c3a720dc455e12e266

    SHA1

    e3faedeb1e4d3da0246499a4a38755887bc0c96b

    SHA256

    d0fd0a6e771db2a13c4b9f94841bad403f9de799662b2c780c13c30184623e0b

    SHA512

    9af5efefced0309ddb743b28d4291c57d7787ba122e2a88714713a7b452c1834d84380fd141ab3ce749c64f895da4c9d7dcbd61b963052e62d67583e1dfd4960

    Download Submit
  • memory/3436-134-0x0000013874820000-0x0000013874822000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3436-135-0x0000013874823000-0x0000013874825000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3436-136-0x0000013872B90000-0x0000013872BB2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3436-139-0x0000013874826000-0x0000013874828000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3436-140-0x0000013874D00000-0x0000013874E76000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/3436-141-0x0000013875090000-0x000001387529A000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4032-146-0x0000000004452000-0x0000000004453000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4032-145-0x0000000004460000-0x0000000004496000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4032-147-0x0000000007040000-0x0000000007668000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4032-148-0x0000000006F40000-0x0000000006F62000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4032-149-0x00000000076E0000-0x0000000007746000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4032-150-0x0000000007750000-0x00000000077B6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4032-151-0x0000000004455000-0x0000000004457000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4032-152-0x0000000007E90000-0x0000000007EAE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4032-144-0x0000000004450000-0x0000000004451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4032-154-0x0000000008DC0000-0x000000000943A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4032-155-0x0000000008420000-0x000000000843A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4032-156-0x0000000008740000-0x0000000008DBA000-memory.dmp
    Filesize

    6.5MB

    Download