3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80

General

Target

3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
Size

1.4MB
MD5

d87fcd8d2bf450b0056a151e9a116f72
SHA1

48cb6bdbe092e5a90c778114b2dda43ce3221c9f
SHA256

3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
SHA512

61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

976 1960 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exeWerFault.exe

pid process

1184 powershell.exe
1184 powershell.exe
1960 powershell.exe
976 WerFault.exe
976 WerFault.exe
976 WerFault.exe
976 WerFault.exe
976 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

976 WerFault.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1184 powershell.exe
Token: SeDebugPrivilege 1960 powershell.exe
Token: SeDebugPrivilege 976 WerFault.exe

pid	pid_target	process	target process
976	1960	WerFault.exe	powershell.exe

pid	process
1184	powershell.exe
1184	powershell.exe
1960	powershell.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe

pid	process
976	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	976	WerFault.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

powershell.execsc.exepowershell.execsc.exe

description	pid	process	target process
PID 1184 wrote to memory of 1860	1184	powershell.exe	csc.exe
PID 1184 wrote to memory of 1860	1184	powershell.exe	csc.exe
PID 1184 wrote to memory of 1860	1184	powershell.exe	csc.exe
PID 1860 wrote to memory of 1844	1860	csc.exe	cvtres.exe
PID 1860 wrote to memory of 1844	1860	csc.exe	cvtres.exe
PID 1860 wrote to memory of 1844	1860	csc.exe	cvtres.exe
PID 1184 wrote to memory of 1960	1184	powershell.exe	powershell.exe
PID 1184 wrote to memory of 1960	1184	powershell.exe	powershell.exe
PID 1184 wrote to memory of 1960	1184	powershell.exe	powershell.exe
PID 1184 wrote to memory of 1960	1184	powershell.exe	powershell.exe
PID 1960 wrote to memory of 1352	1960	powershell.exe	csc.exe
PID 1960 wrote to memory of 1352	1960	powershell.exe	csc.exe
PID 1960 wrote to memory of 1352	1960	powershell.exe	csc.exe
PID 1960 wrote to memory of 1352	1960	powershell.exe	csc.exe
PID 1352 wrote to memory of 852	1352	csc.exe	cvtres.exe
PID 1352 wrote to memory of 852	1352	csc.exe	cvtres.exe
PID 1352 wrote to memory of 852	1352	csc.exe	cvtres.exe
PID 1352 wrote to memory of 852	1352	csc.exe	cvtres.exe
PID 1960 wrote to memory of 976	1960	powershell.exe	WerFault.exe
PID 1960 wrote to memory of 976	1960	powershell.exe	WerFault.exe
PID 1960 wrote to memory of 976	1960	powershell.exe	WerFault.exe
PID 1960 wrote to memory of 976	1960	powershell.exe	WerFault.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4615.tmp" "c:\Users\Admin\AppData\Local\Temp\p55l3ixk\CSC867CC9E196254607BA18F6A5DD63143F.TMP"
3⤵
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES672C.tmp" "c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\CSC82C3CB0A8B24C439B3ECE1423DB5587.TMP"
4⤵
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1580
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:976

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4615.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES672C.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.dll

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\CSC82C3CB0A8B24C439B3ECE1423DB5587.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l3nzxfpj\l3nzxfpj.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p55l3ixk\CSC867CC9E196254607BA18F6A5DD63143F.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p55l3ixk\p55l3ixk.cmdline

Download Submit
memory/852-47-0x0000000000000000-mapping.dmp

Download
memory/976-52-0x0000000000000000-mapping.dmp

Download
memory/976-53-0x0000000001E30000-0x0000000001E41000-memory.dmp

Filesize
68KB

Download
memory/976-68-0x0000000002740000-0x0000000002751000-memory.dmp

Filesize
68KB

Download
memory/976-69-0x0000000002740000-0x0000000002751000-memory.dmp

Filesize
68KB

Download
memory/1184-13-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1184-0-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

Filesize
9.9MB

Download
memory/1184-5-0x000000001C250000-0x000000001C251000-memory.dmp

Filesize
4KB

Download
memory/1184-4-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1184-3-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1184-2-0x000000001AC30000-0x000000001AC31000-memory.dmp

Filesize
4KB

Download
memory/1184-1-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1352-44-0x0000000000000000-mapping.dmp

Download
memory/1844-9-0x0000000000000000-mapping.dmp

Download
memory/1860-6-0x0000000000000000-mapping.dmp

Download
memory/1960-56-0x0000000000000000-mapping.dmp

Download
memory/1960-27-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/1960-57-0x0000000000000000-mapping.dmp

Download
memory/1960-58-0x0000000000000000-mapping.dmp

Download
memory/1960-18-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1960-17-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1960-16-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1960-51-0x0000000006640000-0x0000000006641000-memory.dmp

Filesize
4KB

Download
memory/1960-15-0x0000000072D30000-0x000000007341E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-14-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000000000000-mapping.dmp

Download
memory/1960-55-0x0000000000000000-mapping.dmp

Download
memory/1960-41-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/1960-32-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1960-19-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1960-59-0x0000000000000000-mapping.dmp

Download
memory/1960-60-0x0000000000000000-mapping.dmp

Download
memory/1960-61-0x0000000000000000-mapping.dmp

Download
memory/1960-62-0x0000000000000000-mapping.dmp

Download
memory/1960-63-0x0000000000000000-mapping.dmp

Download
memory/1960-64-0x0000000000000000-mapping.dmp

Download
memory/1960-65-0x0000000000000000-mapping.dmp

Download
memory/1960-66-0x0000000000000000-mapping.dmp

Download
memory/1960-67-0x0000000000000000-mapping.dmp

Download
memory/1960-33-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/1960-40-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads