b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/03/2023, 11:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

info.ps1
Size

766B
MD5

f974bbe206b1024d07b92ddcd3066e69
SHA1

5412c243cb04bcdbba46aa6fb816383b7d7fbed3
SHA256

b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440
SHA512

d7fc6a162d9cb5b4edf91441f9175ef2705966064cb99b0707a3f1aa5dacd56f0af8abd52e5d3207d4d26016b228bf6ed2a68768d8f05c2fce4b80a4c87fbfdc

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1940	1932	powershell.exe	29
PID 1932 wrote to memory of 1940	1932	powershell.exe	29
PID 1932 wrote to memory of 1940	1932	powershell.exe	29
PID 1932 wrote to memory of 576	1932	powershell.exe	30
PID 1932 wrote to memory of 576	1932	powershell.exe	30
PID 1932 wrote to memory of 576	1932	powershell.exe	30
PID 1932 wrote to memory of 1516	1932	powershell.exe	31
PID 1932 wrote to memory of 1516	1932	powershell.exe	31
PID 1932 wrote to memory of 1516	1932	powershell.exe	31
PID 1932 wrote to memory of 836	1932	powershell.exe	32
PID 1932 wrote to memory of 836	1932	powershell.exe	32
PID 1932 wrote to memory of 836	1932	powershell.exe	32
PID 1932 wrote to memory of 776	1932	powershell.exe	33
PID 1932 wrote to memory of 776	1932	powershell.exe	33
PID 1932 wrote to memory of 776	1932	powershell.exe	33
PID 1932 wrote to memory of 332	1932	powershell.exe	34
PID 1932 wrote to memory of 332	1932	powershell.exe	34
PID 1932 wrote to memory of 332	1932	powershell.exe	34
PID 1932 wrote to memory of 1660	1932	powershell.exe	35
PID 1932 wrote to memory of 1660	1932	powershell.exe	35
PID 1932 wrote to memory of 1660	1932	powershell.exe	35
PID 1932 wrote to memory of 1356	1932	powershell.exe	36
PID 1932 wrote to memory of 1356	1932	powershell.exe	36
PID 1932 wrote to memory of 1356	1932	powershell.exe	36
PID 1932 wrote to memory of 596	1932	powershell.exe	37
PID 1932 wrote to memory of 596	1932	powershell.exe	37
PID 1932 wrote to memory of 596	1932	powershell.exe	37
PID 1932 wrote to memory of 1812	1932	powershell.exe	38
PID 1932 wrote to memory of 1812	1932	powershell.exe	38
PID 1932 wrote to memory of 1812	1932	powershell.exe	38
PID 1932 wrote to memory of 388	1932	powershell.exe	39
PID 1932 wrote to memory of 388	1932	powershell.exe	39
PID 1932 wrote to memory of 388	1932	powershell.exe	39

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\info.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "OEFpSleGvJLReEHDyCQdVRRvZddnYLfmOzaoMyfrleGvJnuIOcOyncGzVOkLzVOkL OEFpS w" leGvJ s
  2⤵
  PID:1940
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" LReEH c
  2⤵
  PID:576
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" DyCQd r
  2⤵
  PID:1516
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" VRRvZ i
  2⤵
  PID:836
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" ddnYL p
  2⤵
  PID:776
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" fmOza t
  2⤵
  PID:332
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" oMyfr .
  2⤵
  PID:1660
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" nuIOc h
  2⤵
  PID:1356
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" OyncG e
  2⤵
  PID:596
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" zVOkL l
  2⤵
  PID:1812
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced"
  2⤵
  PID:388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-58-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/1932-59-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1932-60-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1932-61-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1932-62-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/1932-63-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download