c78468e0c0080700cb378ddb67268ebaa0d5a036f192a70e604a5076682474f9 | Triage

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 21:38

Sharing

Report Analysis Logs

General

Target

f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4/Downloaded_files/RS_UserDiagnosticHistory.ps1
Size

1KB
MD5

3a3ea51ac79c212f298ed11e5312f4ef
SHA1

cb67bddd6c00e37386c5c92f1dc18c21f7f46c9f
SHA256

4ab9317a0aae09510c150918c1757c7492c93606268a5e33f56031c244632a5a
SHA512

1387a95b2258690e25d070a79b0729c434adde52a6803562e9bbe2b6ed2acd22056693e77075d37d7e64c2c7290818af150f8689987728f5d41ff40f63c6fba3

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4276 powershell.exe
4276 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4276 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f5068e95e11b906cf33949376159ed87e03eb29e774029e84b8151c76d69ccf4\Downloaded_files\RS_UserDiagnosticHistory.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4276-130-0x000001E75EC50000-0x000001E75EC72000-memory.dmp

Filesize
136KB

Download
memory/4276-131-0x00007FFC75AC0000-0x00007FFC76581000-memory.dmp

Filesize
10.8MB

Download
memory/4276-132-0x00007FFC75AC0000-0x00007FFC76581000-memory.dmp

Filesize
10.8MB

Download