Overview

overview

10

Static

static

63ba6db8c8...06.ps1

windows7_x64

10

63ba6db8c8...06.ps1

windows10_x64

1

Analysis

  • max time kernel
    27s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    01/10/2020, 09:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1

  • Size

    1.6MB

  • MD5

    c171bcd34151cbcd48edbce13796e0ed

  • SHA1

    2770fec86275dfb1a4a05e2d56bc27a089197666

  • SHA256

    63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

  • SHA512

    d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcudehoz\wcudehoz.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EF7.tmp" "c:\Users\Admin\AppData\Local\Temp\wcudehoz\CSC45A1289538594343BBD88726FC33A719.TMP"
        3⤵
          PID:3804
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f33tvzjk\f33tvzjk.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB08.tmp" "c:\Users\Admin\AppData\Local\Temp\f33tvzjk\CSCB70919C3539D4DDCA1BBB7CB6A558D67.TMP"
            4⤵
              PID:3832

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1884-16-0x0000000007740000-0x0000000007741000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-22-0x0000000008760000-0x0000000008761000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-13-0x00000000070B0000-0x00000000070B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-14-0x0000000007870000-0x0000000007871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-15-0x00000000074A0000-0x00000000074A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-32-0x00000000072C0000-0x00000000072C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-17-0x0000000008080000-0x0000000008081000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-18-0x00000000080F0000-0x00000000080F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-20-0x0000000007850000-0x0000000007851000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-21-0x0000000008860000-0x0000000008861000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-12-0x00000000734B0000-0x0000000073B9E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1884-23-0x000000000CF40000-0x000000000CF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1884-24-0x000000000C6D0000-0x000000000C6D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3908-10-0x000002485B060000-0x000002485B061000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3908-2-0x000002485B0B0000-0x000002485B0B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3908-1-0x0000024840BE0000-0x0000024840BE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3908-0-0x00007FF9C6080000-0x00007FF9C6A6C000-memory.dmp

        Filesize

        9.9MB

        Download