Analysis
-
max time kernel
223s -
max time network
156s -
platform
windows10_x64 -
resource
win10v200410 -
submitted
16-04-2020 10:39
General
-
Target
1.ps1
-
Size
1.5MB
-
MD5
8336572266de59a362177d39dfd212be
-
SHA1
9b2cea93d845507cd7cd7abde1b5fcc8218a3d76
-
SHA256
b692668c4cb71b1029d7a0b062fa5177fff06105da3a35c070466fa3992f7081
-
SHA512
fcfcc5869e5248da747bc9a68d5cbc695892634ed81dd130a9ffbd487ce70a8a5991c6309dafc2a6f32ba2a2c2c0997d2f4fa373ac6b9e405f6636c91f5c16d4
Score
3/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
Program crash 1 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1.ps11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\00ezayrv\00ezayrv.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp" "c:\Users\Admin\AppData\Local\Temp\00ezayrv\CSCD71D6A3221DB4C8B985413688D56319.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5mbdv1t3\5mbdv1t3.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES879E.tmp" "c:\Users\Admin\AppData\Local\Temp\5mbdv1t3\CSC720E609714E34FA48DFE6A385839CA2D.TMP"3⤵
-
C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe"C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" -NonInteractive -NoProfile -file C:\Users\Admin\AppData\Local\Temp\1.ps12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 7083⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\00ezayrv\00ezayrv.dll
-
C:\Users\Admin\AppData\Local\Temp\5mbdv1t3\5mbdv1t3.dll
-
C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp
-
C:\Users\Admin\AppData\Local\Temp\RES879E.tmp
-
\??\c:\Users\Admin\AppData\Local\Temp\00ezayrv\00ezayrv.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\00ezayrv\00ezayrv.cmdline
-
\??\c:\Users\Admin\AppData\Local\Temp\00ezayrv\CSCD71D6A3221DB4C8B985413688D56319.TMP
-
\??\c:\Users\Admin\AppData\Local\Temp\5mbdv1t3\5mbdv1t3.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\5mbdv1t3\5mbdv1t3.cmdline
-
\??\c:\Users\Admin\AppData\Local\Temp\5mbdv1t3\CSC720E609714E34FA48DFE6A385839CA2D.TMP
-
memory/3544-10-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/3544-11-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB