b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440

Analysis

max time kernel
79s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

info.ps1
Size

766B
MD5

f974bbe206b1024d07b92ddcd3066e69
SHA1

5412c243cb04bcdbba46aa6fb816383b7d7fbed3
SHA256

b72e2fb08b6d2863b4cf984fb2e89868527010a15e6d4689986b8d704ad63440
SHA512

d7fc6a162d9cb5b4edf91441f9175ef2705966064cb99b0707a3f1aa5dacd56f0af8abd52e5d3207d4d26016b228bf6ed2a68768d8f05c2fce4b80a4c87fbfdc

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4608	powershell.exe
4608	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4732	4608	powershell.exe	87
PID 4608 wrote to memory of 4732	4608	powershell.exe	87
PID 4608 wrote to memory of 820	4608	powershell.exe	88
PID 4608 wrote to memory of 820	4608	powershell.exe	88
PID 4608 wrote to memory of 2304	4608	powershell.exe	89
PID 4608 wrote to memory of 2304	4608	powershell.exe	89
PID 4608 wrote to memory of 1684	4608	powershell.exe	90
PID 4608 wrote to memory of 1684	4608	powershell.exe	90
PID 4608 wrote to memory of 3560	4608	powershell.exe	91
PID 4608 wrote to memory of 3560	4608	powershell.exe	91
PID 4608 wrote to memory of 1204	4608	powershell.exe	92
PID 4608 wrote to memory of 1204	4608	powershell.exe	92
PID 4608 wrote to memory of 2672	4608	powershell.exe	93
PID 4608 wrote to memory of 2672	4608	powershell.exe	93
PID 4608 wrote to memory of 3260	4608	powershell.exe	94
PID 4608 wrote to memory of 3260	4608	powershell.exe	94
PID 4608 wrote to memory of 3316	4608	powershell.exe	95
PID 4608 wrote to memory of 3316	4608	powershell.exe	95
PID 4608 wrote to memory of 4304	4608	powershell.exe	96
PID 4608 wrote to memory of 4304	4608	powershell.exe	96
PID 4608 wrote to memory of 4800	4608	powershell.exe	97
PID 4608 wrote to memory of 4800	4608	powershell.exe	97

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\info.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "OEFpSleGvJLReEHDyCQdVRRvZddnYLfmOzaoMyfrleGvJnuIOcOyncGzVOkLzVOkL OEFpS w" leGvJ s
  2⤵
  PID:4732
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" LReEH c
  2⤵
  PID:820
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" DyCQd r
  2⤵
  PID:2304
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" VRRvZ i
  2⤵
  PID:1684
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" ddnYL p
  2⤵
  PID:3560
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" fmOza t
  2⤵
  PID:1204
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" oMyfr .
  2⤵
  PID:2672
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" nuIOc h
  2⤵
  PID:3260
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" OyncG e
  2⤵
  PID:3316
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced" zVOkL l
  2⤵
  PID:4304
- C:\Windows\system32\replace.exe
  "C:\Windows\system32\replace.exe" "No files replaced"
  2⤵
  PID:4800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pvkt4zz.w3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4608-133-0x000001B2E4960000-0x000001B2E4982000-memory.dmp

Filesize
136KB

Download
memory/4608-143-0x000001B2E4620000-0x000001B2E4630000-memory.dmp

Filesize
64KB

Download
memory/4608-144-0x000001B2E4620000-0x000001B2E4630000-memory.dmp

Filesize
64KB

Download