a70f1205c1635b7d083f37ed66fa29bca72469a0eff3b9cd5d2bd45e9b496cd8

Analysis

max time kernel
126s
max time network
134s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
07/10/2023, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exploit.ps1
Size

72B
MD5

2e5331c1f5c1268dbab9ac84298b4b44
SHA1

964d05fae63326a94fdad789c83cebd5918227fb
SHA256

a70f1205c1635b7d083f37ed66fa29bca72469a0eff3b9cd5d2bd45e9b496cd8
SHA512

fdbb407f379d87e4d17e7adee9fc3b2e8e77372bcd0797e447d109cdcbdf0956cc41d8de3562d06de067e6c1b11106169b1b2f4b9192b1b761edf03c840b4ad9

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 920	2968	powershell.exe	71
PID 2968 wrote to memory of 920	2968	powershell.exe	71

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\exploit.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Get-AppxPackage -name AD2F1837.OMENCommandCenter
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
a3c5ead89aff0068aa77e8e05e6cb2e3

SHA1
e5b04b97f2db197fb1b6ec721c51c87fb559daa8

SHA256
651d38b377e3a9a0a552318884467ab892054061704f39e9d7aad68d4e270af9

SHA512
68d362f69ec0e1b0e0a52eb11241339e25ed4601bbaa0ae2641baec868cc9294a353899bb7e42d80fb807f820dfa3344cd8ad3c3fae56f8bdfe19082faca825a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
113fe54543ee64e10f911fef24363402

SHA1
b60175c67d2e76d422295b0a7bba995fc2c6a727

SHA256
ac43d9e071cd671e1864189e21016580b42ea43879de83ddd5d632a07e6187b5

SHA512
4be3e5fc8422c292d667d18b03238700c52cdc15bfc0b4c615452ffd6956939f4b0b0473e950a2a45febbf0a09b34d07f80c6274b3e52ab2713c577f4a418720

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwodkzkq.3jy.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/920-106-0x00007FFF93F50000-0x00007FFF9493C000-memory.dmp

Filesize
9.9MB

Download
memory/920-101-0x000001FD79730000-0x000001FD79744000-memory.dmp

Filesize
80KB

Download
memory/920-102-0x000001FD794A0000-0x000001FD794AA000-memory.dmp

Filesize
40KB

Download
memory/920-23-0x00007FFF93F50000-0x00007FFF9493C000-memory.dmp

Filesize
9.9MB

Download
memory/920-26-0x000001FD79620000-0x000001FD79630000-memory.dmp

Filesize
64KB

Download
memory/920-27-0x000001FD79620000-0x000001FD79630000-memory.dmp

Filesize
64KB

Download
memory/920-74-0x000001FD79620000-0x000001FD79630000-memory.dmp

Filesize
64KB

Download
memory/2968-10-0x00000283A3E80000-0x00000283A3EF6000-memory.dmp

Filesize
472KB

Download
memory/2968-9-0x00000283A3BF0000-0x00000283A3C00000-memory.dmp

Filesize
64KB

Download
memory/2968-4-0x00000283A3B60000-0x00000283A3B82000-memory.dmp

Filesize
136KB

Download
memory/2968-107-0x00000283A3BF0000-0x00000283A3C00000-memory.dmp

Filesize
64KB

Download
memory/2968-8-0x00000283A3BF0000-0x00000283A3C00000-memory.dmp

Filesize
64KB

Download
memory/2968-7-0x00007FFF93F50000-0x00007FFF9493C000-memory.dmp

Filesize
9.9MB

Download
memory/2968-112-0x00007FFF93F50000-0x00007FFF9493C000-memory.dmp

Filesize
9.9MB

Download