Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-06-2022 17:16
Static task
static1
Behavioral task
behavioral1
Sample
SYSWOW64.ps1
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
SYSWOW64.ps1
-
Size
3KB
-
MD5
0866c5b72df63add6f9884806682308a
-
SHA1
6b157db9a413b8e7d7c33b8b4a5713cdbf6f4dea
-
SHA256
860cae2ca6d44d8d9a34df314e7b3f1a64116f2ebe6279ed160fc2f0d7ebea95
-
SHA512
bc865a758fa7790e346a7ebb19cd3a3871f7aa16b88b80116bad0846d88104203f81bfd4bf73c46b1d770950c6ff0b48475e313277d51171c42227fe3128b82b
Malware Config
Extracted
Family
vjw0rm
C2
http://rick63.publicvm.com:1849
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 3156 powershell.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelGraphicsDriverUpdates.vbs powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3156 powershell.exe 3156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3156 powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\SYSWOW64.ps11⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken