Overview

overview

10

Static

static

ServerFAH.ps1

windows7_x64

10

ServerFAH.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22-02-2022 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ServerFAH.ps1

  • Size

    134KB

  • MD5

    327fee2e572cf6b3b337fded32308189

  • SHA1

    8046a0f02d0673d3833b40bc5ac885b0a8891079

  • SHA256

    32060ba18c4ed29f6a441b6193a2e6376bb43c752709558f046e9365b7275559

  • SHA512

    be2e0938b929177621c7b9d324c2245ecef46e9b9b1b93204e1663edc2e9ee12f05e3e350362f7a6863d906bff2eb3e3b804a66d05a5c4cb4e87a7175b12bea8

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ServerFAH.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.vbs"
        3⤵
          PID:1004
    • C:\Windows\system32\cmd.exe
      cmd /c C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\LZAVOBYIRFWZQZVCTGHPQB.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\system32\cmd.exe
        cMd.E"x"e /c =PoWerShelL"."eXe -noe -nop -nonI -WIndoWSTYLe Hidden -executionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PoWerShelL"."eXe -noe -nop -nonI -WIndoWSTYLe Hidden -executionPolicy Bypass -file C:\ProgramData\LZAVOBYIRFWZQZVCTGHPQB\WZQNBDSLVGAWPUXJRUVDYE.ps1
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1624

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1532-66-0x0000000002920000-0x0000000002922000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1532-65-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1532-69-0x000000000292B000-0x000000000294A000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1532-63-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1532-67-0x0000000002922000-0x0000000002924000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1532-68-0x0000000002924000-0x0000000002927000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1624-74-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1624-76-0x00000000028C0000-0x00000000028C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1624-77-0x00000000028C2000-0x00000000028C4000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1624-78-0x00000000028C4000-0x00000000028C7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1624-75-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1624-80-0x00000000028CB000-0x00000000028EA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1720-60-0x000000000259B000-0x00000000025BA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1720-55-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1720-59-0x0000000002594000-0x0000000002597000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1720-58-0x0000000002592000-0x0000000002594000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1720-57-0x0000000002590000-0x0000000002592000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1720-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1720-56-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

      Filesize

      4KB

      Download