36e82f18e72113f24a5460ed87f67dab158c6f3b342422287bdb8218c2186bc9

General

Target

file1.ps1
Size

132KB
MD5

9777539c560bfd297cc2574c37fa5b21
SHA1

4eb088f40d4cb02590c7299ac7e2c0d609680e1e
SHA256

be4f0c6439bdba738482ea253cde60f3347afd86b284362f83b510a0034b693a
SHA512

dc3ca59771b57826cd8714c4335ffbdecddd155e234309dd812d0db7bb2a21b590bd73c57d5270f2083e6f616fbf2265f955654ae5f091d9f820ae64beea1e96

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1796 powershell.exe
1524 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1796 powershell.exe
Token: SeDebugPrivilege 1524 powershell.exe

pid	process
1796	powershell.exe
1524	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 1796 wrote to memory of 1524	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1524	1796	powershell.exe	powershell.exe
PID 1796 wrote to memory of 1524	1796	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file1.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1
MD5
96cbd4ee164e4feb93152e2ef2d0e229

SHA1
2f5963d3042b87d5e3684a8c1de74e3543aad81e

SHA256
2926650956ac94279c598ba4b761eac9fa34e49e8fe19580adf8c62fd2fac15a

SHA512
48df582b45e09a85e94d60502a1d5f68412ea1325d81ceb2256c5a142d09f4db57e2e6f746a55458276aa8d3d9af59ce66219489d9aa9b73c5dac2c8a7d27b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
7a2466ed466ee4f21e0e7805ff986ecd

SHA1
7d14281d1bd702b8ba20aa33ea0e740d209b375b

SHA256
1506315dfcec8b5be5f18136de647eb8c5cbac1b4a3c1769624db10a5096b2d1

SHA512
e03110621683b35f782fb186e2cdd1a1a260aa43c5e96a55ae883ed6507ff3d904cc84254d2bca569a6fd62209c93c6c3e65967586733ab8e6e204fdaa57c4cb

Download Submit
memory/1524-72-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1524-70-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1524-68-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/1524-69-0x00000000027D2000-0x00000000027D4000-memory.dmp

Filesize
8KB

Download
memory/1524-67-0x00000000027D0000-0x00000000027D2000-memory.dmp

Filesize
8KB

Download
memory/1524-66-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/1524-65-0x000007FEEE7F0000-0x000007FEEF34D000-memory.dmp

Filesize
11.4MB

Download
memory/1796-58-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1796-62-0x0000000002704000-0x0000000002707000-memory.dmp

Filesize
12KB

Download
memory/1796-59-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-61-0x000000000270B000-0x000000000272A000-memory.dmp

Filesize
124KB

Download
memory/1796-60-0x0000000002702000-0x0000000002704000-memory.dmp

Filesize
8KB

Download
memory/1796-54-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

Filesize
8KB

Download
memory/1796-56-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-57-0x0000000002700000-0x0000000002702000-memory.dmp

Filesize
8KB

Download
memory/1796-55-0x000007FEEE7F0000-0x000007FEEF34D000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads