63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806

General

Target

SunCrypt.ps1
Size

1.6MB
MD5

c171bcd34151cbcd48edbce13796e0ed
SHA1

2770fec86275dfb1a4a05e2d56bc27a089197666
SHA256

63ba6db8c81c60dd9f1a0c7c4a4c51e2e56883f063509ed7b543ad7651fd8806
SHA512

d25cbb70dae9bcc49d32c15300734879fe4c1b7ae35cb5affab50e8a61ae7226832b278d846f76f7eedc3a1baf35e2aec4e8c364eab99cddb00c2ffeb97283da

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3888	powershell.exe
3888	powershell.exe
3888	powershell.exe
3888	powershell.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 1532	3888	powershell.exe	73
PID 3888 wrote to memory of 1532	3888	powershell.exe	73
PID 1532 wrote to memory of 1860	1532	csc.exe	74
PID 1532 wrote to memory of 1860	1532	csc.exe	74
PID 3888 wrote to memory of 2144	3888	powershell.exe	75
PID 3888 wrote to memory of 2144	3888	powershell.exe	75
PID 3888 wrote to memory of 2144	3888	powershell.exe	75
PID 2144 wrote to memory of 2612	2144	powershell.exe	79
PID 2144 wrote to memory of 2612	2144	powershell.exe	79
PID 2144 wrote to memory of 2612	2144	powershell.exe	79
PID 2612 wrote to memory of 2368	2612	csc.exe	80
PID 2612 wrote to memory of 2368	2612	csc.exe	80
PID 2612 wrote to memory of 2368	2612	csc.exe	80

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\SunCrypt.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0opasrvn\0opasrvn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A6.tmp" "c:\Users\Admin\AppData\Local\Temp\0opasrvn\CSC6FE04D4CB042C8A6EDAFF7FB835DA4.TMP"
    3⤵
    PID:1860
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\SunCrypt.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gojft3qm\gojft3qm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74D8.tmp" "c:\Users\Admin\AppData\Local\Temp\gojft3qm\CSC69A3CFB1997D4631BDB3B2A2CFE043E8.TMP"
      4⤵
      PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-16-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/2144-22-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/2144-15-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/2144-32-0x000000000B920000-0x000000000B921000-memory.dmp

Filesize
4KB

Download
memory/2144-17-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/2144-18-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/2144-13-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/2144-20-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/2144-21-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

Filesize
4KB

Download
memory/2144-14-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/2144-23-0x000000000C480000-0x000000000C481000-memory.dmp

Filesize
4KB

Download
memory/2144-24-0x000000000BA30000-0x000000000BA31000-memory.dmp

Filesize
4KB

Download
memory/2144-12-0x00000000736D0000-0x0000000073DBE000-memory.dmp

Filesize
6.9MB

Download
memory/3888-10-0x000001B375330000-0x000001B375331000-memory.dmp

Filesize
4KB

Download
memory/3888-2-0x000001B375380000-0x000001B375381000-memory.dmp

Filesize
4KB

Download
memory/3888-1-0x000001B3730F0000-0x000001B3730F1000-memory.dmp

Filesize
4KB

Download
memory/3888-0-0x00007FF8C3870000-0x00007FF8C425C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads