c78468e0c0080700cb378ddb67268ebaa0d5a036f192a70e604a5076682474f9 | Triage

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 21:38

Sharing

Report Analysis Logs

General

Target

f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/CL_Utility.ps1
Size

13KB
MD5

1dcb96bed7d20df592189176d6e200fd
SHA1

18e6791e33924e8c243f352b4bb3fd3fa046d4fa
SHA256

6ba73a35a33a242cefc66637565ecd5356bdbb4fe71263328691d708615889ed
SHA512

a6497ed430dce0efe3b8521602f3e10a251f9dd0f5306ff0d03876ab840ccec7fc953775ad7dda7af02bd35139f74b8d5217461642f792859a9b60f5c9126763

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3944 powershell.exe
3944 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3944 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4\Downloaded_files\CL_Utility.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3944-130-0x000001A5A1A00000-0x000001A5A1A22000-memory.dmp

Filesize
136KB

Download
memory/3944-131-0x00007FFEACCE0000-0x00007FFEAD7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-132-0x00007FFEACCE0000-0x00007FFEAD7A1000-memory.dmp

Filesize
10.8MB

Download