42b3c16e50a12f0d06292d00c93bcfbb66b6a34167720912501e68abaf4ce813

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/06/2023, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google1.ps1
Size

46KB
MD5

7ea235cdecfd28871729b498e48ac69f
SHA1

b94cc4445cc0ebaf6906d1d96115700e255e4265
SHA256

42b3c16e50a12f0d06292d00c93bcfbb66b6a34167720912501e68abaf4ce813
SHA512

29ff6cf49672cbeb68fb8b4297648bd1934af667c109a80b624f9196188c4798acb6aa89ccc308f03265c40d5ad3af33240a4af634abe0c53a85f2043de58e88
SSDEEP

768:XK8eLIllhBDRLLjiSHtRr+NJHhbllNllJllPpllllllTlhSnrj91lgmldllolPl+:a8eLIllhBR9tRr+NJHhbllNllJllPplY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1408	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1624	powershell.exe
1624	powershell.exe
1624	powershell.exe
1408	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1408	1624	powershell.exe	28
PID 1624 wrote to memory of 1408	1624	powershell.exe	28
PID 1624 wrote to memory of 1408	1624	powershell.exe	28
PID 1624 wrote to memory of 1408	1624	powershell.exe	28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Google1.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -noexit
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9be9357d0c3af53a27d9877c784e4808_7cb1702c-0be5-45ad-8dac-6cdb371ef9cc

Filesize
2KB

MD5
8de91c4f830956990012f9fd1269e490

SHA1
5396852c5a98d586d3970638bebf52ac4d7da6b9

SHA256
4b1f314ed0d2dd0aedd922297f2b16cce1d5716a24469b72a9e17ea43bc40433

SHA512
4c0ef84683613edb6196a43e2da73c58203e080cdee1c4119ad6b3823db137fec0628eb7fa8f34a7da93aa142a13b001168959d59cb425ae858372b5d7f2d555

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5WZVWGTPHNUF3HECVHXK.temp

Filesize
7KB

MD5
e178ce135bbcd58da6ae5a3be06ed3b0

SHA1
d9aa84fa25f23b335980548cd0722ea94289dbed

SHA256
d8ff6efc92072fe7f1bce813fa6520e65db87be49d8fe2a6b22ccfa4935d72c8

SHA512
8b7f2d559ecef05085e3e3f3bb1b75cefc996b840b4332f4fbf8a92e912d5a5b5bc1e4ce51e217b26e8d5a13b749ee1d830204ec0441800ea7b0852ce97ba920

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
16KB

MD5
39c10ad786dfbce05c6b0c99c42423f4

SHA1
f977a6637b8b4096a94030d7690d9470e3e4514e

SHA256
06aa640287cb704083a7c397ad0d40c585bc688fbbf919ea56d5e675ba0486a6

SHA512
a18a25038cd7e795dd590c7001d6b13f861a5bb8404ed91538dc53174bb7c9377b3540d4d38ae8f271ea1bc4db601a51469ae53727cbcfe252befc1ca28b24ac

Download Submit
memory/1408-68-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1408-67-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1408-79-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1408-78-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1408-80-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1624-61-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/1624-62-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/1624-64-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/1624-60-0x0000000002370000-0x00000000023F0000-memory.dmp

Filesize
512KB

Download
memory/1624-58-0x000000001B040000-0x000000001B322000-memory.dmp

Filesize
2.9MB

Download
memory/1624-59-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download