119fce76843634821d58e19aaf65538218b5ad0dcd547932fb80f63057c471ed

General

Target

test.ps1
Size

348B
MD5

ce68f0b393e0a4e77c425c8ec2750246
SHA1

3219c5306f6f57fcbb50f5f943438221ca965629
SHA256

119fce76843634821d58e19aaf65538218b5ad0dcd547932fb80f63057c471ed
SHA512

694f2e37c488f21b3963796cf1bc24f39cb8156caa251c0224a6e150a52eb3fa3f9e009c2767cdc6aad89e0424744f281b291240b5028f53d5d098d666379004

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1964	powershell.exe
1248	powershell.exe
1828	powershell.exe
588	powershell_ise.exe
1828	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	powershell.exe
Token: 33	1132	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1132	AUDIODG.EXE
Token: 33	1132	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1132	AUDIODG.EXE
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	588	powershell_ise.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\test.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\AppData\Local\Temp\test.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
347B

MD5
a8149fe806f4a9af9ee03178f44676d0

SHA1
026eff7f9a57c3e9b0e242a97434f8f645da189d

SHA256
287fbfa11e1e6418cd5ebc14ee3e1be383f46a88b6f2f4b03d4cd86976825379

SHA512
6909ce5a211309ff8e067b3bfaab5723a6a92aa1a1312d33e44280ebde8b05cfa6e8f30596e5717abd0aa2f29b2b7e3efee2ce9e7cc0ed3b60a54a4e20d63375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
698e5a2fb3296eb5715a7d2ed40b1d21

SHA1
e523c1ed5ad46e20ab80c6aecb4c8e8fd5531c9c

SHA256
d9d011b7e4d55113cae7445d62138b3876b541040ca8c04e42d1d2698b311a79

SHA512
4a1cc406b892ff87f65857ad8fac08f498155236f96e39037ec82be8a25cc4aa29eb997aa2196af47e71c55467b067c3160a871cb08474538058cbcd94dc443b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bdc18e7dec30a8d979b324fe552410a0

SHA1
4a7538ef6d99d0251c796e2264cfcaf2474023c4

SHA256
228d104ce5b22e0b92d12882219d3ba46b89de059f5b0309a699a4e3ac513374

SHA512
4e5defe966ea299751c9ec2f7da55b33d3ca2fa667d53d5cc6ba7baeba7ca5939d12cfb4650ccac8b0f0f71e9cb0ad96def7ff57cecc5c5f3ed2bec3e4ddb657

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8Y2YIT7Z6E04OET24DLT.temp

Filesize
6KB

MD5
698e5a2fb3296eb5715a7d2ed40b1d21

SHA1
e523c1ed5ad46e20ab80c6aecb4c8e8fd5531c9c

SHA256
d9d011b7e4d55113cae7445d62138b3876b541040ca8c04e42d1d2698b311a79

SHA512
4a1cc406b892ff87f65857ad8fac08f498155236f96e39037ec82be8a25cc4aa29eb997aa2196af47e71c55467b067c3160a871cb08474538058cbcd94dc443b

Download Submit
memory/588-98-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-101-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-102-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-99-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-90-0x0000000001010000-0x0000000001042000-memory.dmp

Filesize
200KB

Download
memory/588-97-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-96-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-95-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-94-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-103-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-104-0x0000000000F00000-0x0000000000F80000-memory.dmp

Filesize
512KB

Download
memory/588-92-0x0000000000E50000-0x0000000000E72000-memory.dmp

Filesize
136KB

Download
memory/588-91-0x0000000000E50000-0x0000000000E72000-memory.dmp

Filesize
136KB

Download
memory/1248-70-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1248-74-0x000000000299B000-0x00000000029D2000-memory.dmp

Filesize
220KB

Download
memory/1248-69-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/1248-71-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1248-72-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1248-73-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/1828-88-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1828-84-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1828-81-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/1828-80-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/1828-83-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1828-86-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1828-105-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1828-87-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1828-85-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1828-82-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1828-100-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1964-63-0x00000000026EB000-0x0000000002722000-memory.dmp

Filesize
220KB

Download
memory/1964-61-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1964-62-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1964-60-0x00000000026E0000-0x0000000002760000-memory.dmp

Filesize
512KB

Download
memory/1964-58-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/1964-59-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads