c78468e0c0080700cb378ddb67268ebaa0d5a036f192a70e604a5076682474f9 | Triage

Analysis

max time kernel
78s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 21:38

Sharing

Report Analysis Logs

General

Target

f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_MachineWERQueue.ps1
Size

1KB
MD5

4ead5ff0de8201daa5c771c9700c45ab
SHA1

568f6170ecaa7851b8707d43658efc4e44f571bd
SHA256

77467ae995127372d335d7a5406ebd98cd3385ca7f8644e1342643330ec93341
SHA512

1216a7fa1b4e090bdcf0011d9676b2e0a5126587d171bcfc239fd36f2314f37f708bdb3a285a1fba08ae569c07f9d30e70884e15e9678adc9d2196bc035dafe5

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1004 powershell.exe
1004 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1004 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4\Downloaded_files\RS_MachineWERQueue.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1004-130-0x000002A2F77F0000-0x000002A2F7812000-memory.dmp

Filesize
136KB

Download
memory/1004-131-0x00007FFB55250000-0x00007FFB55D11000-memory.dmp

Filesize
10.8MB

Download
memory/1004-132-0x00007FFB55250000-0x00007FFB55D11000-memory.dmp

Filesize
10.8MB

Download