700de07f8e4c2dc0748ebaa14a664a1cc1055a1d3da877d2bc146b2d816222b6

Analysis

max time kernel
9s
max time network
19s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 13:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

script.ps1
Size

118B
MD5

b23e085a1e14692c07bbdedef44d60fe
SHA1

2a54f313e9ae87abc74e87eab42e5c89348c6854
SHA256

700de07f8e4c2dc0748ebaa14a664a1cc1055a1d3da877d2bc146b2d816222b6
SHA512

78654ff49e1cb4d5aacc717827efc7fca4a894bf388e2cd5cd77e0a0e4244e6b5a3b145927d51500ae198030186debc10b91d6db6c15e27411d1fc71e4fe0d65

Score

3^/10

discovery execution

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1596	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1596	powershell.exe
1596	powershell.exe
4076	msedge.exe
4076	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 4036	1356	msedge.exe	92
PID 1356 wrote to memory of 4036	1356	msedge.exe	92
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4824	1356	msedge.exe	93
PID 1356 wrote to memory of 4076	1356	msedge.exe	94
PID 1356 wrote to memory of 4076	1356	msedge.exe	94
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95
PID 1356 wrote to memory of 2624	1356	msedge.exe	95

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6c17383bh3ffdh41c9hbe37h3789b80764b0
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbf8b346f8,0x7ffbf8b34708,0x7ffbf8b34718
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,5924960090186395473,13649891091340871967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,5924960090186395473,13649891091340871967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,5924960090186395473,13649891091340871967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a32f84a44515667b65f9a6c4c21ed82f

SHA1
b5e3f9ea86fc19e1d3336741a0cb080a90de4416

SHA256
d59cefc47ec7f346575b5fd07ecc3a4d29ffab98688ff302afcfdfa0d5024fe7

SHA512
3fb4127532efdeee04f84ddaeb00214ee8a070ff9c57ccdd65d63e7f9c286ef882017c5cb220c0535d816d7fce9963ed2fe96f553ea52698d9299086a3ce8f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8eb2f046060701b2bd62e6699d0581c5

SHA1
bc96d4b8c11665281a544d3a5c390a7554b35773

SHA256
760f00ea413da099269fa13da319a1b5d07c6ee6731527acf7d898dbb5dd4133

SHA512
3b1e4d11fa84c6f96cd4fa5ba25eb8b19382b97906fd7260bbbc89f257bcb76f1193c618457cf322a013d83860f6f3f5e5ea2596b7f008b4f575370efe5aaa6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5h1rfz2.sad.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1596-0-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp

Filesize
8KB

Download
memory/1596-10-0x000002E4FE690000-0x000002E4FE6B2000-memory.dmp

Filesize
136KB

Download
memory/1596-11-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/1596-12-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/1596-62-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp

Filesize
8KB

Download
memory/1596-63-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/1596-64-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download