3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80

General

Target

3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
Size

1.4MB
MD5

d87fcd8d2bf450b0056a151e9a116f72
SHA1

48cb6bdbe092e5a90c778114b2dda43ce3221c9f
SHA256

3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80
SHA512

61a636aca3d224dcd2ed29ca000cf0ecf88f51ffd7cb5182ea4599c9e889cb74b78824d93c7383457bd6d591506202527d44c6a15c93a9ab9cfc8230faddd04b

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

2096 powershell.exe
2096 powershell.exe
2096 powershell.exe
2096 powershell.exe
3376 powershell.exe
3376 powershell.exe
3376 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2096 powershell.exe
Token: SeDebugPrivilege 3376 powershell.exe

pid	process
2096	powershell.exe
2096	powershell.exe
2096	powershell.exe
2096	powershell.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.execsc.exepowershell.execsc.exe

description	pid	process	target process
PID 2096 wrote to memory of 3988	2096	powershell.exe	csc.exe
PID 2096 wrote to memory of 3988	2096	powershell.exe	csc.exe
PID 3988 wrote to memory of 3708	3988	csc.exe	cvtres.exe
PID 3988 wrote to memory of 3708	3988	csc.exe	cvtres.exe
PID 2096 wrote to memory of 3376	2096	powershell.exe	powershell.exe
PID 2096 wrote to memory of 3376	2096	powershell.exe	powershell.exe
PID 2096 wrote to memory of 3376	2096	powershell.exe	powershell.exe
PID 3376 wrote to memory of 1596	3376	powershell.exe	csc.exe
PID 3376 wrote to memory of 1596	3376	powershell.exe	csc.exe
PID 3376 wrote to memory of 1596	3376	powershell.exe	csc.exe
PID 1596 wrote to memory of 3260	1596	csc.exe	cvtres.exe
PID 1596 wrote to memory of 3260	1596	csc.exe	cvtres.exe
PID 1596 wrote to memory of 3260	1596	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3litlsg5\3litlsg5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6111.tmp" "c:\Users\Admin\AppData\Local\Temp\3litlsg5\CSCFD6B1E76B1A8471F854223D392347.TMP"
    3⤵
    PID:3708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jqrrdj5q\jqrrdj5q.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB4E.tmp" "c:\Users\Admin\AppData\Local\Temp\jqrrdj5q\CSC17F96824681E41E58A41E252ACA9FD39.TMP"
      4⤵
      PID:3260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\3litlsg5\3litlsg5.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6111.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB4E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqrrdj5q\jqrrdj5q.dll

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3litlsg5\3litlsg5.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3litlsg5\3litlsg5.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3litlsg5\CSCFD6B1E76B1A8471F854223D392347.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqrrdj5q\CSC17F96824681E41E58A41E252ACA9FD39.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqrrdj5q\jqrrdj5q.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jqrrdj5q\jqrrdj5q.cmdline

Download Submit
memory/1596-25-0x0000000000000000-mapping.dmp

Download
memory/2096-2-0x00000248ED0A0000-0x00000248ED0A1000-memory.dmp

Filesize
4KB

Download
memory/2096-1-0x00000248EA430000-0x00000248EA431000-memory.dmp

Filesize
4KB

Download
memory/2096-10-0x00000248EA480000-0x00000248EA481000-memory.dmp

Filesize
4KB

Download
memory/2096-0-0x00007FFB5EA90000-0x00007FFB5F47C000-memory.dmp

Filesize
9.9MB

Download
memory/3260-28-0x0000000000000000-mapping.dmp

Download
memory/3376-16-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/3376-24-0x000000000AC50000-0x000000000AC51000-memory.dmp

Filesize
4KB

Download
memory/3376-17-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/3376-20-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/3376-21-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/3376-22-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/3376-23-0x000000000B790000-0x000000000B791000-memory.dmp

Filesize
4KB

Download
memory/3376-18-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/3376-15-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/3376-14-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/3376-13-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/3376-12-0x0000000072A50000-0x000000007313E000-memory.dmp

Filesize
6.9MB

Download
memory/3376-11-0x0000000000000000-mapping.dmp

Download
memory/3376-32-0x000000000ABB0000-0x000000000ABB1000-memory.dmp

Filesize
4KB

Download
memory/3708-6-0x0000000000000000-mapping.dmp

Download
memory/3988-3-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads