Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
11-02-2023 11:00
General
-
Target
6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps1
-
Size
734KB
-
MD5
47d0a7d95e4e561dd8d46a60f55f7f8d
-
SHA1
c285d3db58476c46aae8be6b731356ff13b6a478
-
SHA256
6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837
-
SHA512
633b877b579024e5e36b99d133adde5c966d4d01915263be295456390ae523c5db4717359c1735d6fd73e3f84c3401bc7e67b414219cd6afb25d3bab23cc3917
-
SSDEEP
12288:FU1VYwPkT4LbcArB+rVqLq25s+tLsCN/FUaZ9kC2XmaKxNxhsY/4QI1IRm6SEWO7:rYIqcSd
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\6c9810a08e35920f03730e06102a1e1639a57a2d652ecfeedca63fceef495837.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD593678e82d776686aa54c42b8a98e6cbc
SHA1802939dfed99ac74814c4371388b204c5810241d
SHA256da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841
SHA5120b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520
-
memory/4172-132-0x000001DB56B20000-0x000001DB56B42000-memory.dmpFilesize
136KB
-
memory/4172-133-0x00007FF8B3D60000-0x00007FF8B4821000-memory.dmpFilesize
10.8MB
-
memory/4172-134-0x00007FF8B3D60000-0x00007FF8B4821000-memory.dmpFilesize
10.8MB
-
memory/4172-135-0x000001DB704A0000-0x000001DB70616000-memory.dmpFilesize
1.5MB
-
memory/4172-136-0x000001DB70830000-0x000001DB70A3A000-memory.dmpFilesize
2.0MB
-
memory/4408-140-0x0000000005610000-0x0000000005632000-memory.dmpFilesize
136KB
-
memory/4408-139-0x0000000005870000-0x0000000005E98000-memory.dmpFilesize
6.2MB
-
memory/4408-138-0x0000000002F20000-0x0000000002F56000-memory.dmpFilesize
216KB
-
memory/4408-141-0x00000000056B0000-0x0000000005716000-memory.dmpFilesize
408KB
-
memory/4408-142-0x0000000005EA0000-0x0000000005F06000-memory.dmpFilesize
408KB
-
memory/4408-143-0x00000000065E0000-0x00000000065FE000-memory.dmpFilesize
120KB
-
memory/4408-144-0x0000000007410000-0x0000000007A8A000-memory.dmpFilesize
6.5MB
-
memory/4408-145-0x0000000006B10000-0x0000000006B2A000-memory.dmpFilesize
104KB
-
memory/4408-146-0x0000000006D90000-0x000000000740A000-memory.dmpFilesize
6.5MB
-
memory/4408-147-0x0000000006D90000-0x000000000740A000-memory.dmpFilesize
6.5MB
-
memory/4408-137-0x0000000000000000-mapping.dmp
-
memory/4408-149-0x0000000006D90000-0x000000000740A000-memory.dmpFilesize
6.5MB
-
memory/4408-150-0x0000000006D90000-0x000000000740A000-memory.dmpFilesize
6.5MB