34b74e2b9ae6e258a15d60733c0347b2d5c9fa16fad69f06ea7f6c3babb051b4

Analysis

max time kernel
160s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decoded-1.ps1
Size

2.0MB
MD5

3bf5594c0b70faace5320779b80e3ad3
SHA1

b856c2216614ea6702c92d58473148ccc61cfbf7
SHA256

34b74e2b9ae6e258a15d60733c0347b2d5c9fa16fad69f06ea7f6c3babb051b4
SHA512

39a8de54bf910acde07d1e7db8749cc56fadedf75c9a1d59fdcab62a4c6be43fffa55e152701701fbeb56a4a169b9b16593f20dfd4331ee79aa090963a774cb9
SSDEEP

24576:F2vCeT9iGxjLDosSjD3+5H8kl2JYmhO+qKBoYKnVjQ835NyQsZI/3/prLTM6UXXa:Fpa7HDIdJhonVjiG/3/aq

Score

1^/10

Malware Config

Signatures

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133549047073849898"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133549047164008881"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133549047179786776"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133534387575900771"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133534387579338267"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133549046776661195"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133549046713848524"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133549047000879938"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
720	powershell.exe
720	powershell.exe
720	powershell.exe
720	powershell.exe
720	powershell.exe
720	powershell.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe
780	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	720	powershell.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe
Token: SeTcbPrivilege	780	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
780	svchost.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 780	720	powershell.exe	10
PID 780 wrote to memory of 3248	780	svchost.exe	93
PID 780 wrote to memory of 3248	780	svchost.exe	93
PID 780 wrote to memory of 2516	780	svchost.exe	97
PID 780 wrote to memory of 2516	780	svchost.exe	97
PID 780 wrote to memory of 2516	780	svchost.exe	97
PID 780 wrote to memory of 3224	780	svchost.exe	98
PID 780 wrote to memory of 3224	780	svchost.exe	98
PID 780 wrote to memory of 5008	780	svchost.exe	99
PID 780 wrote to memory of 5008	780	svchost.exe	99
PID 780 wrote to memory of 5008	780	svchost.exe	99
PID 780 wrote to memory of 4292	780	svchost.exe	100
PID 780 wrote to memory of 4292	780	svchost.exe	100
PID 780 wrote to memory of 4292	780	svchost.exe	100
PID 780 wrote to memory of 5000	780	svchost.exe	101
PID 780 wrote to memory of 5000	780	svchost.exe	101
PID 780 wrote to memory of 5000	780	svchost.exe	101
PID 780 wrote to memory of 5092	780	svchost.exe	102
PID 780 wrote to memory of 5092	780	svchost.exe	102
PID 780 wrote to memory of 5092	780	svchost.exe	102
PID 780 wrote to memory of 3172	780	svchost.exe	103
PID 780 wrote to memory of 3172	780	svchost.exe	103
PID 780 wrote to memory of 3172	780	svchost.exe	103
PID 780 wrote to memory of 4368	780	svchost.exe	104
PID 780 wrote to memory of 4368	780	svchost.exe	104
PID 780 wrote to memory of 4368	780	svchost.exe	104
PID 780 wrote to memory of 4732	780	svchost.exe	105
PID 780 wrote to memory of 4732	780	svchost.exe	105
PID 780 wrote to memory of 4732	780	svchost.exe	105

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:3248
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2516
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:3224
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:5008
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4292
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:5000
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:5092
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:3172
- C:\Windows\system32\BackgroundTransferHost.exe
  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
  2⤵
  PID:4368
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decoded-1.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1lrioxen.dn1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/720-1-0x000002A1C7E10000-0x000002A1C7E32000-memory.dmp

Filesize
136KB

Download
memory/720-10-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmp

Filesize
10.8MB

Download
memory/720-11-0x000002A1E0230000-0x000002A1E0240000-memory.dmp

Filesize
64KB

Download
memory/720-12-0x000002A1E0230000-0x000002A1E0240000-memory.dmp

Filesize
64KB

Download
memory/720-13-0x00007FF9D2960000-0x00007FF9D3421000-memory.dmp

Filesize
10.8MB

Download
memory/720-14-0x000002A1E0230000-0x000002A1E0240000-memory.dmp

Filesize
64KB

Download
memory/720-15-0x000002A1E0230000-0x000002A1E0240000-memory.dmp

Filesize
64KB

Download
memory/720-16-0x000002A1E0230000-0x000002A1E0240000-memory.dmp

Filesize
64KB

Download
memory/720-17-0x0000000180000000-0x0000000180021000-memory.dmp

Filesize
132KB

Download
memory/720-20-0x000002A1F26F0000-0x000002A1F2761000-memory.dmp

Filesize
452KB

Download
memory/780-25-0x0000029FF71B0000-0x0000029FF71D1000-memory.dmp

Filesize
132KB

Download
memory/780-26-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-33-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-32-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-34-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-37-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-38-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-39-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-40-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-41-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-47-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-48-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download
memory/780-54-0x0000000180000000-0x0000000180051000-memory.dmp

Filesize
324KB

Download