Analysis
-
max time kernel
4294179s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
08-03-2022 17:30
Static task
static1
Behavioral task
behavioral1
Sample
file1.ps1
Resource
win7-20220223-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file1.ps1
Resource
win10v2004-en-20220112
0 signatures
0 seconds
General
-
Target
file1.ps1
-
Size
132KB
-
MD5
9777539c560bfd297cc2574c37fa5b21
-
SHA1
4eb088f40d4cb02590c7299ac7e2c0d609680e1e
-
SHA256
be4f0c6439bdba738482ea253cde60f3347afd86b284362f83b510a0034b693a
-
SHA512
dc3ca59771b57826cd8714c4335ffbdecddd155e234309dd812d0db7bb2a21b590bd73c57d5270f2083e6f616fbf2265f955654ae5f091d9f820ae64beea1e96
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1796 powershell.exe 1524 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1796 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1796 wrote to memory of 1524 1796 powershell.exe 28 PID 1796 wrote to memory of 1524 1796 powershell.exe 28 PID 1796 wrote to memory of 1524 1796 powershell.exe 28
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file1.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-