c78468e0c0080700cb378ddb67268ebaa0d5a036f192a70e604a5076682474f9 | Triage

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 21:38

Sharing

Report Analysis Logs

General

Target

f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_SyncSystemTime.ps1
Size

1KB
MD5

4e88b2a8ec2119ce19be4f646887cd5b
SHA1

4a2476fe0306e7a50355c3778cc9c4e35c787236
SHA256

dc504537a34a8d3114d414b9681ac1936d59e497dbf39e8be03760010c978da2
SHA512

fa82a4d80fe60c5bdd350e14b6df5176313f9d16716ec7df1be0479c2eff498819ba25cc9bb33958184f03d57dab624d46750a06368ea59b1820916b33ad0d79

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4576 powershell.exe
4576 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4576 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4\Downloaded_files\RS_SyncSystemTime.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4576-130-0x000002104A9B0000-0x000002104A9D2000-memory.dmp

Filesize
136KB

Download
memory/4576-131-0x00007FF8657A0000-0x00007FF866261000-memory.dmp

Filesize
10.8MB

Download
memory/4576-132-0x00007FF8657A0000-0x00007FF866261000-memory.dmp

Filesize
10.8MB

Download