Analysis
-
max time kernel
97s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-08-2022 09:52
Behavioral task
behavioral1
Sample
2.ps1
Resource
win7-20220812-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
2.ps1
Resource
win10v2004-20220812-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
2.ps1
-
Size
3KB
-
MD5
09cc9c560e20d0c8011f77c30c9cc21d
-
SHA1
16c9bedf2d4def01ce8dae29ef979549e508db38
-
SHA256
a66f6ec5d504f0e6fb16ca39d148754e8528413804fe7dcfae7bef1800192e79
-
SHA512
6a479d6963a031551b9339008280a491c259393233130e8989ccbecb6b9649ed4c417b7a5783812adbcd322ebb6f592a2ccbb80aaa55b2713ebf909662d306ea
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1416 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1676 powershell.exe 1416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1416 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.exedescription pid process target process PID 1676 wrote to memory of 1416 1676 powershell.exe powershell.exe PID 1676 wrote to memory of 1416 1676 powershell.exe powershell.exe PID 1676 wrote to memory of 1416 1676 powershell.exe powershell.exe PID 1676 wrote to memory of 1416 1676 powershell.exe powershell.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1416-59-0x0000000000000000-mapping.dmp
-
memory/1416-66-0x0000000073AB0000-0x000000007405B000-memory.dmpFilesize
5.7MB
-
memory/1416-65-0x0000000073AB0000-0x000000007405B000-memory.dmpFilesize
5.7MB
-
memory/1416-62-0x0000000073AB0000-0x000000007405B000-memory.dmpFilesize
5.7MB
-
memory/1416-61-0x0000000075D91000-0x0000000075D93000-memory.dmpFilesize
8KB
-
memory/1676-60-0x000000000282B000-0x000000000284A000-memory.dmpFilesize
124KB
-
memory/1676-54-0x000007FEFC491000-0x000007FEFC493000-memory.dmpFilesize
8KB
-
memory/1676-58-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1676-57-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1676-63-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1676-64-0x000000000282B000-0x000000000284A000-memory.dmpFilesize
124KB
-
memory/1676-56-0x000007FEF3410000-0x000007FEF3F6D000-memory.dmpFilesize
11.4MB
-
memory/1676-55-0x000007FEF3F70000-0x000007FEF4993000-memory.dmpFilesize
10.1MB
-
memory/1676-67-0x0000000002824000-0x0000000002827000-memory.dmpFilesize
12KB
-
memory/1676-68-0x000000000282B000-0x000000000284A000-memory.dmpFilesize
124KB