srv.ps1

General
Target

srv.ps1

Filesize

3MB

Completed

19-01-2022 11:29

Score
1/10
MD5

bdfc70e3237617d7a4509e9a857234eb

SHA1

7b1e093f630ded929fefe02c554d09a1a9d13c54

SHA256

d96de808e92e4d42e93180be95ec52fbe490c506cd839365e71cb7168df6bfbd

Malware Config
Signatures 2

Filter: none

  • Suspicious behavior: EnumeratesProcesses
    powershell.exe

    Reported IOCs

    pidprocess
    1588powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1588powershell.exe
Processes 1
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\srv.ps1
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:1588
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1588-54-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp

                          • memory/1588-55-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp

                          • memory/1588-56-0x00000000026B0000-0x00000000026B2000-memory.dmp

                          • memory/1588-57-0x00000000026B2000-0x00000000026B4000-memory.dmp

                          • memory/1588-58-0x00000000026B4000-0x00000000026B7000-memory.dmp

                          • memory/1588-59-0x00000000026BB000-0x00000000026DA000-memory.dmp