63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

General

Target

63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
Size

1.6MB
MD5

c171bcd34151cbcd48edbce13796e0ed
SHA1

2770fec86275dfb1a4a05e2d56bc27a089197666
SHA256

63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806
SHA512

d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
3252	powershell.exe
3252	powershell.exe
3252	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 4044	1568	powershell.exe	73
PID 1568 wrote to memory of 4044	1568	powershell.exe	73
PID 4044 wrote to memory of 1768	4044	csc.exe	74
PID 4044 wrote to memory of 1768	4044	csc.exe	74
PID 1568 wrote to memory of 3252	1568	powershell.exe	75
PID 1568 wrote to memory of 3252	1568	powershell.exe	75
PID 1568 wrote to memory of 3252	1568	powershell.exe	75
PID 3252 wrote to memory of 2024	3252	powershell.exe	79
PID 3252 wrote to memory of 2024	3252	powershell.exe	79
PID 3252 wrote to memory of 2024	3252	powershell.exe	79
PID 2024 wrote to memory of 1332	2024	csc.exe	80
PID 2024 wrote to memory of 1332	2024	csc.exe	80
PID 2024 wrote to memory of 1332	2024	csc.exe	80

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3tblyush\3tblyush.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B11.tmp" "c:\Users\Admin\AppData\Local\Temp\3tblyush\CSC9475ABF2C35D458A902CF8BC59E2C2.TMP"
    3⤵
    PID:1768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cynytwao\cynytwao.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA05C.tmp" "c:\Users\Admin\AppData\Local\Temp\cynytwao\CSC5AC2447FF71741D0BE9ED2F8DD21D044.TMP"
      4⤵
      PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1568-2-0x0000023B4D110000-0x0000023B4D111000-memory.dmp

Filesize
4KB

Download
memory/1568-10-0x0000023B4A6F0000-0x0000023B4A6F1000-memory.dmp

Filesize
4KB

Download
memory/1568-1-0x0000023B4A6C0000-0x0000023B4A6C1000-memory.dmp

Filesize
4KB

Download
memory/1568-0-0x00007FFD26B20000-0x00007FFD2750C000-memory.dmp

Filesize
9.9MB

Download
memory/3252-16-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3252-17-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3252-20-0x0000000007830000-0x0000000007831000-memory.dmp

Filesize
4KB

Download
memory/3252-21-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3252-22-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/3252-23-0x000000000C430000-0x000000000C431000-memory.dmp

Filesize
4KB

Download
memory/3252-24-0x000000000BBE0000-0x000000000BBE1000-memory.dmp

Filesize
4KB

Download
memory/3252-18-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/3252-15-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/3252-14-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3252-13-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/3252-12-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/3252-32-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads