a1be8ab1061d8dfa7fc2b82e256971ee110695e776e493c96625935f9143aebd

Analysis

max time kernel
90s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1be8ab1061d8dfa7fc2b82e256971ee110695e776e493c96625935f9143aebd.ps1
Size

2KB
MD5

926e5a0589c28d9f9df27076309b69f1
SHA1

f8a7a8376ed133b6875d4f008f49b1799b2cbe68
SHA256

a1be8ab1061d8dfa7fc2b82e256971ee110695e776e493c96625935f9143aebd
SHA512

7bdc74249e1aa22fd0ed69c7709926e7137d386d61e00c958e8f12ec060980b482a69813ce3557ddbce901ac886ff0e2b30b2ddedc7f79b6c5c73eab7ee677ea

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

5052 powershell.exe
5052 powershell.exe
2020 powershell.exe
2020 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5052 powershell.exe
Token: SeDebugPrivilege 2020 powershell.exe

pid	process
5052	powershell.exe
5052	powershell.exe
2020	powershell.exe
2020	powershell.exe

description	pid	process
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 5052 wrote to memory of 2020	5052	powershell.exe	powershell.exe
PID 5052 wrote to memory of 2020	5052	powershell.exe	powershell.exe
PID 5052 wrote to memory of 2020	5052	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\a1be8ab1061d8dfa7fc2b82e256971ee110695e776e493c96625935f9143aebd.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
9e15040066cf2dfeede62eb4ce3ae675

SHA1
1def76fc49f4500e5bb7300cabfdf994058b573b

SHA256
a497163c002572a3165cace6fc1231e0b6cf3919bf4875a9281d80ba262b1ede

SHA512
4d0e3735eb80be618f94e487c004a94ccbd5a54449d8e00b8aa6922a7b2d1183da68f5c06ca99d7eeb28b165824d223f94effdbab417aae110db3f113f4effe9

Download Submit
memory/2020-140-0x0000000005F00000-0x0000000005F22000-memory.dmp

Filesize
136KB

Download
memory/2020-141-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/2020-146-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/2020-145-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/2020-137-0x0000000000000000-mapping.dmp

Download
memory/2020-138-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/2020-143-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/2020-142-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/2020-139-0x00000000058D0000-0x0000000005EF8000-memory.dmp

Filesize
6.2MB

Download
memory/5052-132-0x000001D48A710000-0x000001D48A732000-memory.dmp

Filesize
136KB

Download
memory/5052-134-0x000001D4A3670000-0x000001D4A37E6000-memory.dmp

Filesize
1.5MB

Download
memory/5052-133-0x00007FFA0A0D0000-0x00007FFA0AB91000-memory.dmp

Filesize
10.8MB

Download
memory/5052-136-0x00007FFA0A0D0000-0x00007FFA0AB91000-memory.dmp

Filesize
10.8MB

Download
memory/5052-135-0x000001D4A3A00000-0x000001D4A3C0A000-memory.dmp

Filesize
2.0MB

Download
memory/5052-147-0x00007FFA0A0D0000-0x00007FFA0AB91000-memory.dmp

Filesize
10.8MB

Download