33748edd5c325017cd85c2947a09b76c85e39f2ead4cdca27dd98d88ee85ee46

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2023, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decoded-1.ps1
Size

2.3MB
MD5

21331179134ae3f3ca6900a7360963d5
SHA1

6a8ac0f30a99458997db9b251cd03865ed331d22
SHA256

33748edd5c325017cd85c2947a09b76c85e39f2ead4cdca27dd98d88ee85ee46
SHA512

bf0236227db445c1b76b593105b492b943e26fb0ca41f0ccf6c628033a788afe8fff6b45000877a9a41d9bdf82319381614b11d38c2783f56dd3e8b053295d41
SSDEEP

24576:B6urEQPH7ZOZ9927in/4Q+ROEnL1rtn6jhFvXVgyENsfP+DkLA6AWEyD2cMkVKSo:B6EEw54jduG2kqTAo

Score

1^/10

Malware Config

Signatures

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133463774786535265"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133455822524836547"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133463775119660507"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133463775861379337"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133463775867629422"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133463775873567038"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133463775461692210"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133463775865129032"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133455822521857033"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133455822515450888"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133463775127632254"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133463774801378798"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133463775446067538"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
804	svchost.exe
804	svchost.exe
804	svchost.exe
804	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe
Token: SeTcbPrivilege	804	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
804	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 804	4448	powershell.exe	85
PID 804 wrote to memory of 1888	804	svchost.exe	102
PID 804 wrote to memory of 1888	804	svchost.exe	102
PID 804 wrote to memory of 1888	804	svchost.exe	102
PID 804 wrote to memory of 3152	804	svchost.exe	103
PID 804 wrote to memory of 3152	804	svchost.exe	103
PID 804 wrote to memory of 3152	804	svchost.exe	103
PID 804 wrote to memory of 3752	804	svchost.exe	104
PID 804 wrote to memory of 3752	804	svchost.exe	104
PID 804 wrote to memory of 3752	804	svchost.exe	104
PID 804 wrote to memory of 2240	804	svchost.exe	105
PID 804 wrote to memory of 2240	804	svchost.exe	105
PID 804 wrote to memory of 3764	804	svchost.exe	106
PID 804 wrote to memory of 3764	804	svchost.exe	106
PID 804 wrote to memory of 3024	804	svchost.exe	108
PID 804 wrote to memory of 3024	804	svchost.exe	108
PID 804 wrote to memory of 3024	804	svchost.exe	108
PID 804 wrote to memory of 4432	804	svchost.exe	109
PID 804 wrote to memory of 4432	804	svchost.exe	109
PID 804 wrote to memory of 4432	804	svchost.exe	109
PID 804 wrote to memory of 4984	804	svchost.exe	110
PID 804 wrote to memory of 4984	804	svchost.exe	110
PID 804 wrote to memory of 4900	804	svchost.exe	111
PID 804 wrote to memory of 4900	804	svchost.exe	111

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decoded-1.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1888
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3152
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3752
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2240
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:3764
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3024
- C:\Windows\system32\BackgroundTaskHost.exe
  "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
  2⤵
  PID:4432
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4984
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:4900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3r3nr4r.v3o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/804-40-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-39-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-49-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-46-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-30-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-37-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-36-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-31-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-32-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-35-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/804-22-0x000001EFDE890000-0x000001EFDE8B1000-memory.dmp

Filesize
132KB

Download
memory/804-23-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/4448-10-0x00007FF8F94D0000-0x00007FF8F9F91000-memory.dmp

Filesize
10.8MB

Download
memory/4448-29-0x00007FF8F94D0000-0x00007FF8F9F91000-memory.dmp

Filesize
10.8MB

Download
memory/4448-18-0x00000236E8180000-0x00000236E8205000-memory.dmp

Filesize
532KB

Download
memory/4448-14-0x0000000180000000-0x0000000180021000-memory.dmp

Filesize
132KB

Download
memory/4448-13-0x00000236E7C30000-0x00000236E7C40000-memory.dmp

Filesize
64KB

Download
memory/4448-9-0x00000236E7DB0000-0x00000236E7DD2000-memory.dmp

Filesize
136KB

Download
memory/4448-12-0x00000236E7C30000-0x00000236E7C40000-memory.dmp

Filesize
64KB

Download
memory/4448-48-0x00000236E7C30000-0x00000236E7C40000-memory.dmp

Filesize
64KB

Download
memory/4448-47-0x00000236E7C30000-0x00000236E7C40000-memory.dmp

Filesize
64KB

Download
memory/4448-11-0x00000236E7C30000-0x00000236E7C40000-memory.dmp

Filesize
64KB

Download
memory/4448-56-0x00000236E7C30000-0x00000236E7C40000-memory.dmp

Filesize
64KB

Download