42b3c16e50a12f0d06292d00c93bcfbb66b6a34167720912501e68abaf4ce813

Analysis

max time kernel
80s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2023, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google1.ps1
Size

46KB
MD5

7ea235cdecfd28871729b498e48ac69f
SHA1

b94cc4445cc0ebaf6906d1d96115700e255e4265
SHA256

42b3c16e50a12f0d06292d00c93bcfbb66b6a34167720912501e68abaf4ce813
SHA512

29ff6cf49672cbeb68fb8b4297648bd1934af667c109a80b624f9196188c4798acb6aa89ccc308f03265c40d5ad3af33240a4af634abe0c53a85f2043de58e88
SSDEEP

768:XK8eLIllhBDRLLjiSHtRr+NJHhbllNllJllPpllllllTlhSnrj91lgmldllolPl+:a8eLIllhBR9tRr+NJHhbllNllJllPplY

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
15	4376	powershell.exe
33	3232	powershell.exe
59	4924	powershell.exe
60	4456	powershell.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4376	powershell.exe
4376	powershell.exe
3232	powershell.exe
3232	powershell.exe
3908	powershell_ise.exe
3908	powershell_ise.exe
3908	powershell_ise.exe
4924	powershell.exe
4924	powershell.exe
4456	powershell.exe
4456	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	3908	powershell_ise.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3232	4376	powershell.exe	83
PID 4376 wrote to memory of 3232	4376	powershell.exe	83
PID 4376 wrote to memory of 3232	4376	powershell.exe	83
PID 4924 wrote to memory of 4456	4924	powershell.exe	99
PID 4924 wrote to memory of 4456	4924	powershell.exe	99
PID 4924 wrote to memory of 4456	4924	powershell.exe	99

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Google1.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -noexit
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\Temp\Google1.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Temp\Google1.ps1'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -w hidden -noexit
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aebac5c675b6f5e1b269cd675462053d

SHA1
9c507c4b088478a1630b7234fb9119fb163a6470

SHA256
06522b0bb3a7721832f46a1d624fdead0dbf1c3a60af4d1b704eae56d2330a55

SHA512
14ea92698ab803c4ee0895b8c5931175be4c4285d00309a524d4b360adf64e44d32b43bff58f178fa3d744979d77a5dfffade20c7d01c4ac5bbb545a4b6e6b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucb4tlvv.wyx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
16KB

MD5
39c10ad786dfbce05c6b0c99c42423f4

SHA1
f977a6637b8b4096a94030d7690d9470e3e4514e

SHA256
06aa640287cb704083a7c397ad0d40c585bc688fbbf919ea56d5e675ba0486a6

SHA512
a18a25038cd7e795dd590c7001d6b13f861a5bb8404ed91538dc53174bb7c9377b3540d4d38ae8f271ea1bc4db601a51469ae53727cbcfe252befc1ca28b24ac

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
16KB

MD5
39c10ad786dfbce05c6b0c99c42423f4

SHA1
f977a6637b8b4096a94030d7690d9470e3e4514e

SHA256
06aa640287cb704083a7c397ad0d40c585bc688fbbf919ea56d5e675ba0486a6

SHA512
a18a25038cd7e795dd590c7001d6b13f861a5bb8404ed91538dc53174bb7c9377b3540d4d38ae8f271ea1bc4db601a51469ae53727cbcfe252befc1ca28b24ac

Download Submit
memory/3232-165-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/3232-170-0x00000000079B0000-0x0000000007A46000-memory.dmp

Filesize
600KB

Download
memory/3232-151-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3232-153-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/3232-154-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/3232-155-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3232-150-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/3232-166-0x0000000006B70000-0x0000000006BB4000-memory.dmp

Filesize
272KB

Download
memory/3232-147-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

Filesize
216KB

Download
memory/3232-168-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/3232-169-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/3232-152-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3232-171-0x0000000007960000-0x0000000007982000-memory.dmp

Filesize
136KB

Download
memory/3232-172-0x0000000008B50000-0x00000000090F4000-memory.dmp

Filesize
5.6MB

Download
memory/3232-173-0x0000000007AE0000-0x0000000007B2A000-memory.dmp

Filesize
296KB

Download
memory/3232-174-0x0000000007D80000-0x0000000007DF6000-memory.dmp

Filesize
472KB

Download
memory/3232-175-0x0000000008870000-0x0000000008A32000-memory.dmp

Filesize
1.8MB

Download
memory/3232-176-0x0000000009FC0000-0x000000000A4EC000-memory.dmp

Filesize
5.2MB

Download
memory/3232-177-0x00000000087B0000-0x0000000008842000-memory.dmp

Filesize
584KB

Download
memory/3232-178-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3232-179-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3908-182-0x000001EED0060000-0x000001EED00AA000-memory.dmp

Filesize
296KB

Download
memory/3908-236-0x000001EED28E0000-0x000001EED28E8000-memory.dmp

Filesize
32KB

Download
memory/3908-183-0x000001EEB39C0000-0x000001EEB39D0000-memory.dmp

Filesize
64KB

Download
memory/3908-184-0x000001EECEE50000-0x000001EECEE5E000-memory.dmp

Filesize
56KB

Download
memory/3908-185-0x000001EECEEA0000-0x000001EECEED8000-memory.dmp

Filesize
224KB

Download
memory/3908-190-0x000001EECEE80000-0x000001EECEE88000-memory.dmp

Filesize
32KB

Download
memory/3908-200-0x000001EECF100000-0x000001EECF108000-memory.dmp

Filesize
32KB

Download
memory/3908-201-0x000001EECF110000-0x000001EECF118000-memory.dmp

Filesize
32KB

Download
memory/3908-203-0x000001EEB39C0000-0x000001EEB39D0000-memory.dmp

Filesize
64KB

Download
memory/3908-202-0x000001EEB39C0000-0x000001EEB39D0000-memory.dmp

Filesize
64KB

Download
memory/3908-204-0x000001EED0390000-0x000001EED0398000-memory.dmp

Filesize
32KB

Download
memory/3908-205-0x000001EED03F0000-0x000001EED0416000-memory.dmp

Filesize
152KB

Download
memory/3908-181-0x000001EEB3610000-0x000001EEB3648000-memory.dmp

Filesize
224KB

Download
memory/3908-216-0x000001EED28E0000-0x000001EED28FC000-memory.dmp

Filesize
112KB

Download
memory/3908-226-0x000001EED03E0000-0x000001EED03EA000-memory.dmp

Filesize
40KB

Download
memory/3908-252-0x000001EEB39C0000-0x000001EEB39D0000-memory.dmp

Filesize
64KB

Download
memory/3908-246-0x000001EED28F0000-0x000001EED28FA000-memory.dmp

Filesize
40KB

Download
memory/3908-247-0x00007FF413010000-0x00007FF413020000-memory.dmp

Filesize
64KB

Download
memory/3908-248-0x000001EEB39C0000-0x000001EEB39D0000-memory.dmp

Filesize
64KB

Download
memory/3908-249-0x000001EEB39C0000-0x000001EEB39D0000-memory.dmp

Filesize
64KB

Download
memory/3908-250-0x000001EEB39C0000-0x000001EEB39D0000-memory.dmp

Filesize
64KB

Download
memory/3908-251-0x000001EEB39C0000-0x000001EEB39D0000-memory.dmp

Filesize
64KB

Download
memory/4376-133-0x000001AB30910000-0x000001AB30920000-memory.dmp

Filesize
64KB

Download
memory/4376-146-0x000001AB30910000-0x000001AB30920000-memory.dmp

Filesize
64KB

Download
memory/4376-140-0x000001AB30880000-0x000001AB308A2000-memory.dmp

Filesize
136KB

Download
memory/4376-134-0x000001AB30910000-0x000001AB30920000-memory.dmp

Filesize
64KB

Download
memory/4456-295-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/4456-296-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/4924-271-0x00000260A60D0000-0x00000260A60E0000-memory.dmp

Filesize
64KB

Download
memory/4924-272-0x00000260A60D0000-0x00000260A60E0000-memory.dmp

Filesize
64KB

Download
memory/4924-273-0x00000260A60D0000-0x00000260A60E0000-memory.dmp

Filesize
64KB

Download
memory/4924-284-0x00007FF493140000-0x00007FF493150000-memory.dmp

Filesize
64KB

Download