e0a1b6e2efc496d31187a85565ed59a54b47df4f0666285d3e6bf6fc4d372f46

General

Target

ev.ps1
Size

1KB
MD5

9830264dcac9b966dcdc809527689262
SHA1

9733c49c7f5026d6b51683f8781b6ba27fdcc541
SHA256

e0a1b6e2efc496d31187a85565ed59a54b47df4f0666285d3e6bf6fc4d372f46
SHA512

b613a9298d1f878ae8efb1b5e790954d08e1e6ebc3aeb3b0434dc6ad54605710a56e045315a4f601cffb61285c44278b15a8ea892ded6c96aca2e11822e22650

Score

9^/10

Suspicious use of AdjustPrivilegeToken 13 IoCs

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 1148	640	powershell.exe	67
PID 640 wrote to memory of 1148	640	powershell.exe	67
PID 640 wrote to memory of 1244	640	powershell.exe	68
PID 640 wrote to memory of 1244	640	powershell.exe	68
PID 640 wrote to memory of 1312	640	powershell.exe	69
PID 640 wrote to memory of 1312	640	powershell.exe	69
PID 640 wrote to memory of 1452	640	powershell.exe	70
PID 640 wrote to memory of 1452	640	powershell.exe	70
PID 640 wrote to memory of 1556	640	powershell.exe	71
PID 640 wrote to memory of 1556	640	powershell.exe	71
PID 640 wrote to memory of 1676	640	powershell.exe	72
PID 640 wrote to memory of 1676	640	powershell.exe	72

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ev.ps1
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" epl System "D:\WindowsEventLogs\OWZMOTQA-System-07/12/2020 14:41:46.evtx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl System
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" epl Security "D:\WindowsEventLogs\OWZMOTQA-Security-07/12/2020 14:41:46.evtx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Security
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" epl Application "D:\WindowsEventLogs\OWZMOTQA-Application-07/12/2020 14:41:46.evtx"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1676

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact