63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

Analysis

max time kernel
27s
max time network
150s
platform
windows10_x64
resource
win10v200722
submitted
01-10-2020 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
Size

1.6MB
MD5

c171bcd34151cbcd48edbce13796e0ed
SHA1

2770fec86275dfb1a4a05e2d56bc27a089197666
SHA256

63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806
SHA512

d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

3908 powershell.exe
3908 powershell.exe
3908 powershell.exe
3908 powershell.exe
1884 powershell.exe
1884 powershell.exe
1884 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3908 powershell.exe
Token: SeDebugPrivilege 1884 powershell.exe

pid	process
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
1884	powershell.exe
1884	powershell.exe
1884	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.execsc.exepowershell.execsc.exe

description	pid	process	target process
PID 3908 wrote to memory of 3836	3908	powershell.exe	csc.exe
PID 3908 wrote to memory of 3836	3908	powershell.exe	csc.exe
PID 3836 wrote to memory of 3804	3836	csc.exe	cvtres.exe
PID 3836 wrote to memory of 3804	3836	csc.exe	cvtres.exe
PID 3908 wrote to memory of 1884	3908	powershell.exe	powershell.exe
PID 3908 wrote to memory of 1884	3908	powershell.exe	powershell.exe
PID 3908 wrote to memory of 1884	3908	powershell.exe	powershell.exe
PID 1884 wrote to memory of 2384	1884	powershell.exe	csc.exe
PID 1884 wrote to memory of 2384	1884	powershell.exe	csc.exe
PID 1884 wrote to memory of 2384	1884	powershell.exe	csc.exe
PID 2384 wrote to memory of 3832	2384	csc.exe	cvtres.exe
PID 2384 wrote to memory of 3832	2384	csc.exe	cvtres.exe
PID 2384 wrote to memory of 3832	2384	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wcudehoz\wcudehoz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EF7.tmp" "c:\Users\Admin\AppData\Local\Temp\wcudehoz\CSC45A1289538594343BBD88726FC33A719.TMP"
    3⤵
    PID:3804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f33tvzjk\f33tvzjk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB08.tmp" "c:\Users\Admin\AppData\Local\Temp\f33tvzjk\CSCB70919C3539D4DDCA1BBB7CB6A558D67.TMP"
      4⤵
      PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0183029cd5fb8bc47e37241ec8e5d64d

SHA1
cea6e5dc95b27cfcb8a0da4ff19410ba84517154

SHA256
5e7ed4516658644a93e27f146cbcf752f02ce1dca88f56ed0a1ee647898699dd

SHA512
4ec91cea374bcc8cc088e89bf0930c16dcd26c5c6fe6b43f195967a0714551c475e891b95023c2002ed1095f55c1bf82c8d9a5b164f8ee2c781d1958731ff5e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8EF7.tmp

MD5
1cb3e7cabe6a98b086823edeb0d9796b

SHA1
29030f9e3d35ad97010ad4ed033c45ddb85c2061

SHA256
558db858d9be6db5811934b2d9e4ead4e3679576cba147f7eef03c3f56613062

SHA512
4812f66752e681b79d4835144c1ee8408046104761bac2b54d431e294c4bf7552acbd250c7722aaa9290bf048af732cb01f9a16e98f38af4058db83b3dac0703

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB08.tmp

MD5
bd75398407f448d043b14197471d3768

SHA1
e7fff2fa305aee420c21e2b481056b470d3dc807

SHA256
b6104846ec365066eb2c75648a526e189dce13a53f8d8bee574260cf3b12fa96

SHA512
7f9c4d291d4568675212150547f850187a2bb87fd2f6b251b38706d05d54996fc68a844222448691e881547da866aa4652d8bbbf07f2293a4dfd72c6c660da9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f33tvzjk\f33tvzjk.dll

MD5
19072bf58bb1b2e51e8ea6d1f95ec3a8

SHA1
7c679c46e611ded1852c46a027c6a7f7a386d1d9

SHA256
0674ff6104d61c5608ab3abfbabcbb643e5037707844d9c22778066352a75225

SHA512
92024868763fd541510ed23bc4c5c6161fd53ef90135f308c7f48a97df79140898fbdd10e9b8c7243801bd167eabe488df6460307fbb6d4d609dea88a1796a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcudehoz\wcudehoz.dll

MD5
4863e46cdb796539c5db45721f8afc19

SHA1
e1f5deca8ce16d5b18ee053643812745559f8a81

SHA256
098f6b68fea0ce59e7fe3349d8cb98479bff8912dbe5536639d233514aad1cb6

SHA512
ca59f559e3c87e5bcdcad9f46c31f51e0486df1b9cd9e32ea03107772b1b80d2dff089769dd4728bfd386280831933bb8940ba47e6b835bb3992af7119c9a966

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f33tvzjk\CSCB70919C3539D4DDCA1BBB7CB6A558D67.TMP

MD5
f08a90e91f238dfd575b856aec177425

SHA1
92f1133cdc5f48b942a905b937103486a42a55ec

SHA256
5f26960d1106f720997d7a0175bcde4e2d130df4db031a3ec7418fab29eaaadc

SHA512
4a92bebf605c33462ac6df268cc73d42919adbb077e7c6d9993e6f29ae52110c52193faf8dcca878f6c4ad15d08d1aab67415eef9239cc6db4fad6d474b8455a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f33tvzjk\f33tvzjk.0.cs

MD5
caf98c9f9cc2c02cdc79eb3409a36bc5

SHA1
aae6131763eaace982ee93fb15ee0eff45a034d2

SHA256
dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

SHA512
74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f33tvzjk\f33tvzjk.cmdline

MD5
5c22ed857d938fcf329c5c285c72cc0a

SHA1
f3c4a75920ca40c09535be2ad653027e133c49f9

SHA256
4367b4263ff73c980f45b8ae8963b6dd4307e89f71a7756594c5b46303cd4915

SHA512
4717a4a0633554b1f9e926d3588f3333ccf677849329a5fee01bd608dd970d32767416ba31978a2b1d5052c862ab27e2fa3d302de2ffd70d882ba8fa4c88c0f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcudehoz\CSC45A1289538594343BBD88726FC33A719.TMP

MD5
2b915e25db605f03b44d2eb2e0ef9ae7

SHA1
c0af72e3e455544f76701884748f1a432cb50f95

SHA256
1d1068cd95103580fd55e4fdc79e18a9c587d97ebea9fe4f72b67bca856dffee

SHA512
a60569075c3c63a6a075cb16388c6495c9d616325e1dadf6f0b0e8d826682aa0117e37ca9e824ed9329290e5c6ec81507bf2b870dc53eab9740f5917ac49950d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcudehoz\wcudehoz.0.cs

MD5
caf98c9f9cc2c02cdc79eb3409a36bc5

SHA1
aae6131763eaace982ee93fb15ee0eff45a034d2

SHA256
dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

SHA512
74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wcudehoz\wcudehoz.cmdline

MD5
12eca3ce3709422a9bcccfab9222e4fa

SHA1
d020c69895165449b8af3f19a3018668834ae749

SHA256
62fb98f1ab5671ef7d48e8e31f73b5d1d97bd65a6d25accbeba161585c5a847b

SHA512
0bfe472f1390c76553cc4049ae37155095974fadbd0ede32f2622b86e7256daf322900ad03bcfa4d17c13ca9f29a5336bcc0660832b477ff23b1ea7ba11f83c7

Download Submit
memory/1884-16-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/1884-22-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/1884-13-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/1884-14-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/1884-15-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/1884-32-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/1884-17-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/1884-18-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/1884-11-0x0000000000000000-mapping.dmp

Download
memory/1884-20-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/1884-21-0x0000000008860000-0x0000000008861000-memory.dmp

Filesize
4KB

Download
memory/1884-12-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1884-23-0x000000000CF40000-0x000000000CF41000-memory.dmp

Filesize
4KB

Download
memory/1884-24-0x000000000C6D0000-0x000000000C6D1000-memory.dmp

Filesize
4KB

Download
memory/2384-25-0x0000000000000000-mapping.dmp

Download
memory/3804-6-0x0000000000000000-mapping.dmp

Download
memory/3832-28-0x0000000000000000-mapping.dmp

Download
memory/3836-3-0x0000000000000000-mapping.dmp

Download
memory/3908-10-0x000002485B060000-0x000002485B061000-memory.dmp

Filesize
4KB

Download
memory/3908-2-0x000002485B0B0000-0x000002485B0B1000-memory.dmp

Filesize
4KB

Download
memory/3908-1-0x0000024840BE0000-0x0000024840BE1000-memory.dmp

Filesize
4KB

Download
memory/3908-0-0x00007FF9C6080000-0x00007FF9C6A6C000-memory.dmp

Filesize
9.9MB

Download