63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

Analysis

max time kernel
25s
max time network
112s
platform
windows10_x64
resource
win10v200722
submitted
05-10-2020 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
Size

1.6MB
MD5

c171bcd34151cbcd48edbce13796e0ed
SHA1

2770fec86275dfb1a4a05e2d56bc27a089197666
SHA256

63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806
SHA512

d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

1568 powershell.exe
1568 powershell.exe
1568 powershell.exe
1568 powershell.exe
3252 powershell.exe
3252 powershell.exe
3252 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1568 powershell.exe
Token: SeDebugPrivilege 3252 powershell.exe

pid	process
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
3252	powershell.exe
3252	powershell.exe
3252	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.execsc.exepowershell.execsc.exe

description	pid	process	target process
PID 1568 wrote to memory of 4044	1568	powershell.exe	csc.exe
PID 1568 wrote to memory of 4044	1568	powershell.exe	csc.exe
PID 4044 wrote to memory of 1768	4044	csc.exe	cvtres.exe
PID 4044 wrote to memory of 1768	4044	csc.exe	cvtres.exe
PID 1568 wrote to memory of 3252	1568	powershell.exe	powershell.exe
PID 1568 wrote to memory of 3252	1568	powershell.exe	powershell.exe
PID 1568 wrote to memory of 3252	1568	powershell.exe	powershell.exe
PID 3252 wrote to memory of 2024	3252	powershell.exe	csc.exe
PID 3252 wrote to memory of 2024	3252	powershell.exe	csc.exe
PID 3252 wrote to memory of 2024	3252	powershell.exe	csc.exe
PID 2024 wrote to memory of 1332	2024	csc.exe	cvtres.exe
PID 2024 wrote to memory of 1332	2024	csc.exe	cvtres.exe
PID 2024 wrote to memory of 1332	2024	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3tblyush\3tblyush.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B11.tmp" "c:\Users\Admin\AppData\Local\Temp\3tblyush\CSC9475ABF2C35D458A902CF8BC59E2C2.TMP"
    3⤵
    PID:1768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cynytwao\cynytwao.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA05C.tmp" "c:\Users\Admin\AppData\Local\Temp\cynytwao\CSC5AC2447FF71741D0BE9ED2F8DD21D044.TMP"
      4⤵
      PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
5c48cf30d9ad9b0f42823a31c1873ef7

SHA1
ed59ff8dd849399932f06261fbfbdb0d0f1cb6d8

SHA256
2fee76a7de952559fe0d96e1f30e1cde374b810df3c97c7db7bf5d2ffe3dce6a

SHA512
0ac0b2075789b08af3c1b17171aa6065510b1bb3e07b0d2b420343659189f736900f5e47d8209eb8e18ae1c50ac513bd72fdbd6f1abfab47464d08426137d480

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tblyush\3tblyush.dll

MD5
8959ff35cc98f835a2092f72efcf4d70

SHA1
3d4dd2a9117eb4578052cd1b78c242c090be82e4

SHA256
bcb085030d7632d0f634871262069ab187604bf8fa80f5fd5131007a4bce9de1

SHA512
db9c5a97c23938c8b6df47202b0c556a85a54ea0d1ab7483013b9bbb254086919a09e3405144b8fe73e90e21acada12f159863a9c6058c7635002b0cdf1fb0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7B11.tmp

MD5
ad7d83099add7aa10f464d59c9c9cded

SHA1
103c8945fc970bb81752831c001d9227d8f495e2

SHA256
62546533a3e6725085844bd2aba9486e7c9935a0d1e36147bc288388dc4d0e80

SHA512
24fb4b35bd6b108974c1f88110581544f653c361e6a241cbbda6db48844bc7a2c6006e619303d1e9b1d3ff43ed512c7d7ae000436d58bc08aba0d018adab463a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA05C.tmp

MD5
74649cb719aeb8f7aa03a7d6e7a2b413

SHA1
2b154a868179c0aff80df80b1bd463ce5a0a1498

SHA256
a487808a0425a195d43961697dd26d213ad201942b550ad72c057311fed88165

SHA512
21dad30ae245c6dcea124bd684439b69f448ff8c7dbe5935969521019851b74a39a69de88738e72509ee78a71bd94cd1d2c61ef6bc59735abf41cb51a4614600

Download Submit
C:\Users\Admin\AppData\Local\Temp\cynytwao\cynytwao.dll

MD5
228a5fd43bcbe449646299f56b93158d

SHA1
471ff0dea913e8a128e36b8fcb65f38cd9a65f01

SHA256
c90069b0177b3c52dfcaaf5f67436bf331b2e837ad75171cfcf74627af049f87

SHA512
38ed5c188658b122dd49480cbc0446e43f718ca339709a1a175a110e9229a6c902b95bc19404575d0d6482ca974528395c7d30016084ae0addacb0e6b915f5fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3tblyush\3tblyush.0.cs

MD5
caf98c9f9cc2c02cdc79eb3409a36bc5

SHA1
aae6131763eaace982ee93fb15ee0eff45a034d2

SHA256
dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

SHA512
74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3tblyush\3tblyush.cmdline

MD5
74b98890222bfbba60ade90f8ecb7292

SHA1
765cd7db3fa2e43cbc2b6165458eb31b414313f3

SHA256
1a8186b965a8fca781f26bc9b5c294d7a8cb6f834ed7d9a88c15bcf301793294

SHA512
8ec23048e83296bd496fdff0a57c2dad3cd2a52042a335d77628a37dca9b21a22ec1d727917cf2560ebfe6a151589c5644c7dcdd5229bb0382cced15138241a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3tblyush\CSC9475ABF2C35D458A902CF8BC59E2C2.TMP

MD5
5f38e9ba325cc04ba44ae127ce652767

SHA1
d1a46f062778327cb6562b51ac8df648b615760c

SHA256
483ad6e1505571682289cbbc59a68433da517c4165bdc77d33486163929b6a54

SHA512
2df7c280a913fc6119fc538b84571db5be39a3eb45527e235cd2f79636a64ceab14803def25872c4ce64072e9046d32219961f73ea8b63d2e1ab9ec8c4403a93

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cynytwao\CSC5AC2447FF71741D0BE9ED2F8DD21D044.TMP

MD5
0e9d55ed57536f7cc167380edcfa6151

SHA1
ca444cf9c3f7db6852b30c80fc78c0baf9169cc1

SHA256
f12a0a84b479b948522facfb8f03ec6fb7e63a5c88024fb7710517a484e4e07c

SHA512
24d8fcff48c3697ad534558e3e224499c6edec548cefe1b3f1483b2b89cb682a239bd18c563e3b9c1692b9e9816bc7e23df6b675046facaa9b604297617c8bf9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cynytwao\cynytwao.0.cs

MD5
caf98c9f9cc2c02cdc79eb3409a36bc5

SHA1
aae6131763eaace982ee93fb15ee0eff45a034d2

SHA256
dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

SHA512
74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cynytwao\cynytwao.cmdline

MD5
5733ff5c9a50272aa761f5022dd6caa7

SHA1
c8665d88b158ac47cf9846aa8a4737c065e16b6a

SHA256
e57c8f5b18d06a32a700178b7c23b437d95abc228d20c6a28626f8ecbbc182be

SHA512
3881f5e4498d1788e38acfdd8aa0e7b7047d1cd7db5636bb70aa966d1154e4f411f4e25ebc9e0580b61b88ff7061db94977449b3acb9e6a06200d798862ccf70

Download Submit
memory/1332-28-0x0000000000000000-mapping.dmp

Download
memory/1568-2-0x0000023B4D110000-0x0000023B4D111000-memory.dmp

Filesize
4KB

Download
memory/1568-10-0x0000023B4A6F0000-0x0000023B4A6F1000-memory.dmp

Filesize
4KB

Download
memory/1568-1-0x0000023B4A6C0000-0x0000023B4A6C1000-memory.dmp

Filesize
4KB

Download
memory/1568-0-0x00007FFD26B20000-0x00007FFD2750C000-memory.dmp

Filesize
9.9MB

Download
memory/1768-6-0x0000000000000000-mapping.dmp

Download
memory/2024-25-0x0000000000000000-mapping.dmp

Download
memory/3252-16-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3252-17-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3252-20-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/3252-21-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3252-22-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/3252-23-0x000000000C430000-0x000000000C431000-memory.dmp

Filesize
4KB

Download
memory/3252-24-0x000000000BBE0000-0x000000000BBE1000-memory.dmp

Filesize
4KB

Download
memory/3252-18-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/3252-15-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/3252-14-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3252-13-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/3252-12-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/3252-11-0x0000000000000000-mapping.dmp

Download
memory/3252-32-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/4044-3-0x0000000000000000-mapping.dmp

Download