c78468e0c0080700cb378ddb67268ebaa0d5a036f192a70e604a5076682474f9 | Triage

Analysis

max time kernel
87s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 21:38

Sharing

Report Analysis Logs

General

Target

f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_UserWERQueue.ps1
Size

1KB
MD5

014bb59898d97ee5e9d0c3d598879659
SHA1

e1a7ca7d302e81ef619b72f07f8c2f834dd8631a
SHA256

136183a5d64c516cee0a3cb893adfa5d083cd4b74113d7665afec6e4edd55c03
SHA512

853ce2aff74e97bd39ef3f9ef847bc0597ec1a11e64a7c297808e362d9837661177cf481086784cc4149fe7ddebba4230b14a546b463da9d590f4097abd64449

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

5020 powershell.exe
5020 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 5020 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4\Downloaded_files\RS_UserWERQueue.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5020-130-0x000001D6F15E0000-0x000001D6F1602000-memory.dmp

Filesize
136KB

Download
memory/5020-131-0x00007FFE09260000-0x00007FFE09D21000-memory.dmp

Filesize
10.8MB

Download
memory/5020-132-0x00007FFE09260000-0x00007FFE09D21000-memory.dmp

Filesize
10.8MB

Download