875473b38732ac69e3ebaaae4f6f4f3cb12534d4175de132c4eeeb97ba64d226

Analysis

max time kernel
20s
max time network
104s
platform
windows10_x64
resource
win10v20201028
submitted
08-03-2021 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

load.ps1
Size

1.4MB
MD5

09a05a2212bd2c0fe0e2881401fbff17
SHA1

fbb6f8dae1753cd2a282ee161bc5496486cc06f7
SHA256

b41a303a4caa71fa260dd601a796033d8bfebcaa6bd9dfd7ad956fac5229a735
SHA512

8d0dd3a7d6adaa690a3f7625a573b8c50cfa9d40fa17836b7e8ab8a10bfe67f4eaf0720cedda0c1d2986e7e70770a097ad8af2a9e24ccd595514a0384cbc275f

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

672 powershell.exe
672 powershell.exe
672 powershell.exe
672 powershell.exe
788 powershell.exe
788 powershell.exe
788 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 672 powershell.exe
Token: SeDebugPrivilege 788 powershell.exe

pid	process
672	powershell.exe
672	powershell.exe
672	powershell.exe
672	powershell.exe
788	powershell.exe
788	powershell.exe
788	powershell.exe

description	pid	process
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.execsc.exepowershell.execsc.exe

description	pid	process	target process
PID 672 wrote to memory of 3132	672	powershell.exe	csc.exe
PID 672 wrote to memory of 3132	672	powershell.exe	csc.exe
PID 3132 wrote to memory of 2500	3132	csc.exe	cvtres.exe
PID 3132 wrote to memory of 2500	3132	csc.exe	cvtres.exe
PID 672 wrote to memory of 788	672	powershell.exe	powershell.exe
PID 672 wrote to memory of 788	672	powershell.exe	powershell.exe
PID 672 wrote to memory of 788	672	powershell.exe	powershell.exe
PID 788 wrote to memory of 3272	788	powershell.exe	csc.exe
PID 788 wrote to memory of 3272	788	powershell.exe	csc.exe
PID 788 wrote to memory of 3272	788	powershell.exe	csc.exe
PID 3272 wrote to memory of 4068	3272	csc.exe	cvtres.exe
PID 3272 wrote to memory of 4068	3272	csc.exe	cvtres.exe
PID 3272 wrote to memory of 4068	3272	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\load.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxhmkihl\uxhmkihl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EAE.tmp" "c:\Users\Admin\AppData\Local\Temp\uxhmkihl\CSC820FB15764874525962D4247456A1CCC.TMP"
    3⤵
    PID:2500
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\load.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dlscpl5c\dlscpl5c.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84C6.tmp" "c:\Users\Admin\AppData\Local\Temp\dlscpl5c\CSC4E9B62F4A8434C05898A355F0C1E886.TMP"
      4⤵
      PID:4068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
2cfc23c0708a128589d2593dbc908e9e

SHA1
9f9f8c07628a00bf8ae6decf90121e5318e787d8

SHA256
db7529ff629d654056f16351d50dc5418cdd7c0c7f7ba37db8d89cead23385de

SHA512
237240b851f347d49d5ee5cc8aaab2467f643b1109fd9b3b661eb286564cd2d635544553e56875c38c7bf4ae67c8ff900da3beb4d88bd80c047a580c54e5600b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4c41d99ce11de64a15949ebdc30c1723

SHA1
369449cdc4fde5a85687ee17b03ec69fccc54c4d

SHA256
e9b15ff17fc6b9d36c03d065640c3edf8b71f36442fb0540a1d1a72508ec5574

SHA512
c907c8600053f89e58e3ecfda41d33849919797ecf2a184f4f4f07f35f2e0b926c125c3fd5338d1ed46e86ae46bba2f3bd00264ce1ee6fc4c485090ccdf3cc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6EAE.tmp

MD5
dff26bf25820ff28283b1db391ab8866

SHA1
c1370f4bf30c7f30a538d841980fa5e2cabead5f

SHA256
8859a5abf8f9053a08d9c85853798ef80cd463ec55f625ef5ac60747a88f91a8

SHA512
11963a95e8d65c84ac6e5396047f2a6d33934425ef19b575a951198a74f66bb0ceb64329abda3d9d51befea79f37badda85af519522909aadbc236a3271b4797

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES84C6.tmp

MD5
53f204b1301096eedc513528b3275801

SHA1
411b9237bb634b77fb588bc849f1230ac382afc1

SHA256
b7170ddbfce3cae8ebde510d31ffeb558ff72d7b9f4fc4d12043f8783740ce9e

SHA512
b617fe95131971613f8241a5ecd16bb7b8b77369695416986cd1b1fc812dfe7785ce3180d1dd6de38973a858ad968e9903b7929677776fd7570f42325c7a0561

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlscpl5c\dlscpl5c.dll

MD5
79f95fe7534a79c80bfbe75e1e4b9b53

SHA1
39cb76000db634bd93a47ef6f785af0b639d2f08

SHA256
f721ae3704ac13806df39664149e0fb04a9a4f49b05754f656013242b1862b48

SHA512
a26a207396dfa0732416bb2a5ff450cd4062e8ea902d1352500e0f0c7500deb18320e73eefa30a34246cfe3af22ea64646de1d0477dc63590e7ad762504e184c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxhmkihl\uxhmkihl.dll

MD5
20f5ea88b38176edfe8772bb920d0e0d

SHA1
158f782811ee7bd2e6ed36f2436da237bd8b2476

SHA256
5664b0b28ac74b7f9d5748c9275ef3fc1d9fa30289a300c9d3566932f829d6e1

SHA512
04e381f2a9bb290d807adac5eba2b93f64f82d5e42e7eb632a1d0eb66d3544f6049d44412a13a996ebf123f9038008926ac0a9ec066c9d42246b076117eb0009

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dlscpl5c\CSC4E9B62F4A8434C05898A355F0C1E886.TMP

MD5
6974d52c4a6eda7b38553d85d6739e89

SHA1
99c8fc5937c89d093a1333523527545eed7c03fe

SHA256
9cab867f035914935cd5af7170fa71157450aa5804234f8e60b0aa7206c4a304

SHA512
11a53ffafb9fa363bf8352d834758315cc556c65b9f4ab93fc677be8d791c0cd450deffb6bd7e9745129381cb290b00709bf4aae04590639b0719ad2e20fcd72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dlscpl5c\dlscpl5c.0.cs

MD5
caf98c9f9cc2c02cdc79eb3409a36bc5

SHA1
aae6131763eaace982ee93fb15ee0eff45a034d2

SHA256
dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

SHA512
74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dlscpl5c\dlscpl5c.cmdline

MD5
d14663b9d7baabf17c7be071cb934b32

SHA1
62c07b0b633ac4c86b390ff68d137581668e6c71

SHA256
3fea8c378263c1d77f728f669a7e30d5cf0b12bf54174d0c8dd6b01533e54d7e

SHA512
6b2e53711e21bdf10569317c2504765276fe985cde5f9974ad1dc151dbd18cef0e43a444873e1b89073d497ac05ff5fa44266b80f58ab3e3b6df1430dd8bc7c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxhmkihl\CSC820FB15764874525962D4247456A1CCC.TMP

MD5
dfa5408e0ac34faf30bcc8687bf7f983

SHA1
ccf0f0c02f60035ab7f3c6514b64c94b4e350582

SHA256
323de2ff3fc5e214e8e20045b737b4ae1c3362a8e6853535a45f16ebfc6ab108

SHA512
24ed5989fe2c4c619c7ae2b2717d5acfc1ef85eded5117bff26c32e2b4faff8193629749ab421fd978f0a77b980b199e10f92672e3ceb5c20ad05466eaaf9f6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxhmkihl\uxhmkihl.0.cs

MD5
caf98c9f9cc2c02cdc79eb3409a36bc5

SHA1
aae6131763eaace982ee93fb15ee0eff45a034d2

SHA256
dc072944363d6db027de28c9412f96e4655e460989789c99e3a1992daded7499

SHA512
74845d305b1de1a0decaca325bc98de0cebaee677b6a70d492a0ba3ade21e9f9f0e145687a1f6ff89ada6657f77c47a8f140bf1d610c661738a2c64ada3a132f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxhmkihl\uxhmkihl.cmdline

MD5
b7039ee22f9d621490af58a34d6b09fb

SHA1
32e3725456843b8008a9be9a2fc651274b8691cf

SHA256
3ecdcc54eb6ba2eb308f21e053f74c9db1d38a6a3f0a67382c0c09ce54d3e919

SHA512
9598c13c70c1904b993978494bb102c4de43579722b8897082df556b3c11e39694dfd74bcd2c9c9dc0d776d7c735ef35a2c0368208221a999e11ff9898662782

Download Submit
memory/672-6-0x00000172A2E03000-0x00000172A2E05000-memory.dmp

Filesize
8KB

Download
memory/672-15-0x00000172A5140000-0x00000172A5141000-memory.dmp

Filesize
4KB

Download
memory/672-10-0x00000172A2E06000-0x00000172A2E08000-memory.dmp

Filesize
8KB

Download
memory/672-2-0x00007FF8522D0000-0x00007FF852CBC000-memory.dmp

Filesize
9.9MB

Download
memory/672-5-0x00000172A2E00000-0x00000172A2E02000-memory.dmp

Filesize
8KB

Download
memory/672-4-0x00000172A51A0000-0x00000172A51A1000-memory.dmp

Filesize
4KB

Download
memory/672-3-0x00000172A4F10000-0x00000172A4F11000-memory.dmp

Filesize
4KB

Download
memory/788-22-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/788-16-0x0000000000000000-mapping.dmp

Download
memory/788-23-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/788-24-0x0000000004E62000-0x0000000004E63000-memory.dmp

Filesize
4KB

Download
memory/788-25-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/788-20-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/788-27-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/788-28-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/788-29-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/788-30-0x000000000CC80000-0x000000000CC81000-memory.dmp

Filesize
4KB

Download
memory/788-31-0x000000000C230000-0x000000000C231000-memory.dmp

Filesize
4KB

Download
memory/788-41-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/788-19-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/788-18-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/788-40-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/788-17-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/788-21-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/788-39-0x000000000C250000-0x000000000C251000-memory.dmp

Filesize
4KB

Download
memory/2500-11-0x0000000000000000-mapping.dmp

Download
memory/3132-7-0x0000000000000000-mapping.dmp

Download
memory/3272-32-0x0000000000000000-mapping.dmp

Download
memory/4068-35-0x0000000000000000-mapping.dmp

Download