Overview

overview

8

Static

static

1

from_r_tec...rl.ps1

windows10-2004-x64

8

Resubmissions

15/04/2024, 15:04

240415-sftvzsbe51 8

08/04/2024, 10:37

240408-mn29faad6t 1

25/03/2024, 12:10

240325-pcfbmsfb49 8

28/11/2023, 12:14

231128-pefp7ahg9v 8

28/11/2023, 10:30

231128-mj2gcahc28 8

15/05/2023, 08:26

230515-kb2q2ahh2t 8

19/04/2023, 08:41

230419-klhe5shd66 8

14/02/2023, 10:51

230214-mxtnnacg59 8

04/01/2023, 12:47

230104-p1dgysah51 8

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2023, 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    from_r_techsupport_post_zfbprl.ps1

  • Size

    3KB

  • MD5

    78d2189dbf09d4cfb9985729c0985067

  • SHA1

    d61c81fedbaaf26ca14082f29ed008dca2520e3b

  • SHA256

    2573edb9592715b7e0048056279d6d707c959fe815148f733e60b4eb0fca3aea

  • SHA512

    30dbc2210dcdf8f67635096dd5f87c12b84443b879761462524e5f8d8b5ea0f13cf891f2c0da95c23c2455418dad2d6b92786a8b4efbd7f40d0f1e675c200e77

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 60 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\from_r_techsupport_post_zfbprl.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eruhsvsn.ov4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/840-21-0x00007FFAFEB90000-0x00007FFAFF651000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/840-36-0x000001435DD20000-0x000001435DD30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/840-35-0x000001435DD20000-0x000001435DD30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/840-34-0x00007FFAFEB90000-0x00007FFAFF651000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/840-22-0x000001435DD20000-0x000001435DD30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/840-23-0x000001435DD20000-0x000001435DD30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-16-0x0000025781B30000-0x0000025781CA6000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3592-0-0x00000256F0AD0000-0x00000256F0AF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3592-17-0x0000025781EC0000-0x00000257820CA000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3592-18-0x00000256EE5B0000-0x00000256EE5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-19-0x00000256EE5B0000-0x00000256EE5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-20-0x00000256EE5B0000-0x00000256EE5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-15-0x00007FFAFEB90000-0x00007FFAFF651000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3592-14-0x00000256F0FA0000-0x00000256F0FBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3592-13-0x00000256F0F70000-0x00000256F0F80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-11-0x00000256EE5B0000-0x00000256EE5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-12-0x00000256EE5B0000-0x00000256EE5C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3592-10-0x00007FFAFEB90000-0x00007FFAFF651000-memory.dmp

    Filesize

    10.8MB

    Download