52171e2ce416f16ddfc7eae063a610badf15a83da5fef831b0acd05e54906c59

Analysis

max time kernel
3s
max time network
4s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
11-12-2023 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decoded_3stage.ps1
Size

1023B
MD5

49e37de2f7edc6ec685b974554e7f2fa
SHA1

a7ce3554a0c0d9e5c95bcc0f8bcd92ad18099a23
SHA256

52171e2ce416f16ddfc7eae063a610badf15a83da5fef831b0acd05e54906c59
SHA512

2ca054158129052877d8ba4bae81abd8bda8abde508ee17edaf3de304a7d584b759f40fb2605c3b3aea1380f40f9d0d7b70b04e01f83247440dc1ac91a02e019

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

3 2116 powershell.exe
5 2116 powershell.exe
7 2116 powershell.exe
10 2116 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2116 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2116 powershell.exe

flow	pid	process
3	2116	powershell.exe
5	2116	powershell.exe
7	2116	powershell.exe
10	2116	powershell.exe

pid	process
2116	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2116	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decoded_3stage.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f073a7bf4f36ec0b155eef5eedd17bf9

SHA1
2d9815beb3d8df6236334373af5ca883444333d3

SHA256
5d2fa5560657b4be9b33a93f0e731cc4adf87bebe38d249524de2e6826be523a

SHA512
f3fabd7d163e716aee7ac1f31fa77ec8809317c39e6dc371a72c3004a5bab5fdf5d3ef3885852c038fee7df09b8dbc2c7b71f8e1358c3ce80da928ef54972e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c38d26f1a5b39185f081059226d3a995

SHA1
60522779c08e46754b2051ab5fa5c3f9a789ebd7

SHA256
1fad89b86a21cd6deebdcf154900cd642647ac1d65672d2745aad09440114622

SHA512
9d2d50eac478614c06af07a74f127cc021caab066db002ab031c538686edf2b7ecb8dde5da0e91a2b9b620314ba646f761f418f18ef1c26a992b4b74b193cb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE96.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2116-8-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2116-11-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2116-10-0x000007FEF4890000-0x000007FEF522D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-4-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2116-9-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2116-5-0x000007FEF4890000-0x000007FEF522D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-6-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2116-7-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2116-98-0x0000000002BC0000-0x0000000002BCA000-memory.dmp

Filesize
40KB

Download
memory/2116-99-0x000007FEF4890000-0x000007FEF522D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads