d099e992c101378e0d4a78ed5571c56cf12dfdeb9bbdb51d495e0e5757216720

Analysis

max time kernel
10s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f514fc3d5d4af0d0db147029fed2a9c32e5070fa8edb2b032660e94fa6acb47.ps1
Size

45KB
MD5

b591c1d713aef7e11c8aecc76cdce72f
SHA1

8a27731c07960c757428abab7428ec94235fbcd6
SHA256

4f514fc3d5d4af0d0db147029fed2a9c32e5070fa8edb2b032660e94fa6acb47
SHA512

ccd3ac198b112a95e9ab2edf762f634901e2c48662987237d753c5de30fabb54f36b5e8d3a77a02cc02f1824a205c6c2a76c5323af46aaaf35176805110c8b47
SSDEEP

384:m3S+d00Z0CtJwhdGFgzEkUwpr7aF6KW1zImuLNkSaa1er4YUnibfdzLhwemjbzC0:miFQAakAq04r8FMva5

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4064 powershell.exe
1612 powershell.exe
Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\updates.ps1 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4064 powershell.exe
4064 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4064 powershell.exe

pid	process
4064	powershell.exe
1612	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\updates.ps1	powershell.exe

pid	process
4064	powershell.exe
4064	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4064	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4f514fc3d5d4af0d0db147029fed2a9c32e5070fa8edb2b032660e94fa6acb47.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -File C:\Windows\updates.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
da627768ba66de29745f5da58a41e881

SHA1
4eeaac06916906a7651a8706dfcec571031e20bd

SHA256
8b1f0b64f0d7667c09bbfc496f5500b0eb04bbd8e54f3a2992363cb1a0b6e298

SHA512
f916080cb108623107e2db8b125a75709d3605ef7605dd1b4ff3af22f06acb5061ab4fd2f04aec22d88547d33f6b5cdea19f378fc0ad29117f1f8af0dbd7328c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
232B

MD5
85ff326e9d3af4ac7cace8d6e5d1057b

SHA1
fa30f5a77fe80edcad7e995e3e831e983ec8025f

SHA256
1d9ab040261e4e54d10d872533cd2eeee0ee3fbbce219e17e35b107151855838

SHA512
b9652fdb8b1ee469eaa901f2f76d35aa90f25f1589b6886c8f73822c44bc63ca89ea4d3472cacc6141a667a41603de81959a299e3dc8ec3e995bf5749ac37c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hkefovk.ziy.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\updates.ps1
Filesize
43KB

MD5
d9a4b64d20c6860f12b6da0ecd53983a

SHA1
b3e8c9479370807c009bfb8ba46566a3e3e0893d

SHA256
2e5ddfeff91ad3ba0ea2446912cef3b7f2b905cb3eb9f3d3ea51f512a13b53ad

SHA512
10afb3130e4fb0af1a4efb618ed70f017fde98091927dd23a82fb8c228ea78b1ea6b1b644e4c2d733e21d8f152ec89fac11938d1d9ec38558a8319922ee2e6b3

Download Submit
memory/1612-28-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/1612-15-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/1612-25-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/1612-31-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/1612-36-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4064-13-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4064-0-0x00007FFD774B3000-0x00007FFD774B5000-memory.dmp

Filesize
8KB

Download
memory/4064-29-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4064-30-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4064-12-0x000001AAFEE40000-0x000001AAFEE62000-memory.dmp

Filesize
136KB

Download
memory/4064-2-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/4064-1-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download