918f0c7f46926112a1c8f33cf641263968add3f9d82a5d6088fb2e7123e1ae88 | Triage

Analysis

max time kernel
91s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2022, 19:35

Sharing

Report Analysis Logs

General

Target

code.ps1
Size

126B
MD5

122ae4f4a1e43e14a250c7d6ea328d1a
SHA1

ab9489459c12bfc6d555bdd67b8157863a69f389
SHA256

918f0c7f46926112a1c8f33cf641263968add3f9d82a5d6088fb2e7123e1ae88
SHA512

f4eda970cc2a54ce926e1276aa00667b2d5b436ebb66b11720a672125eac838d6202df7699f09632dbda7d3f76d450b5fb44bb5d18ced91d01a2bb5f3ffc5e81

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	644	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
644	powershell.exe
644	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-132-0x000001B1C0C70000-0x000001B1C0C92000-memory.dmp

Filesize
136KB

Download
memory/644-133-0x00007FFE18DE0000-0x00007FFE198A1000-memory.dmp

Filesize
10.8MB

Download
memory/644-134-0x00007FFE18DE0000-0x00007FFE198A1000-memory.dmp

Filesize
10.8MB

Download