22b65737bcbad2d15288e4f9d7802258ba80e418910078b2c6662f2f145e2053

General

Target

xd.ps1
Size

1KB
MD5

55aa3100c8ae74455f0fe1cee1ebf18c
SHA1

061dbf007849d4adde211e7f3799d275acbca693
SHA256

417d358ea8cbd4c3a23073c599b73cda354f09e0bd8a6b88571f6bacf0801c10
SHA512

e02c38831e1e1ca6a17326e76ea19a7d9cca573628f560de608b3ba6ee61b858d566581f773ed2b116b27bc9612d02440a5eda31cc557905f6c5280cce865d39

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

7 1964 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1964 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1964 powershell.exe

flow	pid	process
7	1964	powershell.exe

pid	process
1964	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1964	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1964 wrote to memory of 412	1964	powershell.exe	csc.exe
PID 1964 wrote to memory of 412	1964	powershell.exe	csc.exe
PID 1964 wrote to memory of 412	1964	powershell.exe	csc.exe
PID 412 wrote to memory of 580	412	csc.exe	cvtres.exe
PID 412 wrote to memory of 580	412	csc.exe	cvtres.exe
PID 412 wrote to memory of 580	412	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\xd.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v4zeluhg\v4zeluhg.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2221.tmp" "c:\Users\Admin\AppData\Local\Temp\v4zeluhg\CSCDDAABE51EC841A7B07F59C887E94DEC.TMP"
3⤵
PID:580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2221.tmp
MD5
07dc9e9030777a4943760bc99e15fe36

SHA1
a71c0c6215bba83b5de5dad06bdc1e2065b389d1

SHA256
c3bd0db521599028c9100939d75fc89b94586b4ad2e55cb7c4df9195ecffc422

SHA512
dca72de1a9120bca1825dba17360488b3c5bdbafbf363d71f543c39e63d4a27c7c16c034f35bb4320bde18351fd579cb2b6d8ec3ebfc69c15d68cf995e623378

Download Submit
C:\Users\Admin\AppData\Local\Temp\v4zeluhg\v4zeluhg.dll
MD5
ad5bcf884e70c677476242ca3d72c86b

SHA1
13853ca98253db5f74d5ca5fa33f2b112b675986

SHA256
b5afb0ce6af12b0b4232d0e425e25f8e97d740fed2c5e6f7748600a676def37f

SHA512
cf946c35f361a9669baa2a50d4c017b1d1a63c111e7dddcda9492c9cf7ec520b6461ddb1499915421bff1afafe8be4827a6c2b305744e3db3d647dfc36f5ccfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v4zeluhg\CSCDDAABE51EC841A7B07F59C887E94DEC.TMP
MD5
903bec97094543e9901468fc7ec825e9

SHA1
71f9fb23a6a1b71cde5651b4726e7d3cbb0cbd8e

SHA256
4c3c5c7a41493fb791054fda9f18d4a2f059ebeaec4390a308b31df39609a00c

SHA512
d234c75bd1d14f1ecb6c6b106bf0055a6deafc9d37a563ae248970af58039b2d4a7c2a3325a061c8dd75c92e528649e781c540d98c679fb78b92212cc41109ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v4zeluhg\v4zeluhg.0.cs
MD5
c699d3aab16730de62b683f5a53d3e02

SHA1
61eb3de1feea4ee0db7831347a4b9f81daa24142

SHA256
0613fe073ea3b86bf6d6c2d617a66e5162a99148cc90dd357dd70e8bcee685f5

SHA512
4cfb37f350a2c4b2d253ca9cbb914157f84aefae0b395dd080e7411fa254397ae94be6204f45b782d26a79e95e79c1843b0502068e67f0e67dba1b2511fa298f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v4zeluhg\v4zeluhg.cmdline
MD5
4b17971ebd5d5aa2947bd55e2e9abcec

SHA1
44c7b2d698e94168bc758cd1eb24104691fef8d3

SHA256
b906feb9b72860daba63dce734967555ff86d4349e35c072ebd0ebd1d2d134b3

SHA512
e8a07f90f89ff5aef37e433d97c9be9d1b622ab7f28f6d07d73096e379723ad0c47736a9fef3db9d25c2307d74faaa59af9b12adbe9b2ea5ed93cd9488ae90c8

Download Submit
memory/412-67-0x0000000000000000-mapping.dmp

Download
memory/580-70-0x0000000000000000-mapping.dmp

Download
memory/1964-65-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/1964-66-0x000000001C4E0000-0x000000001C4E1000-memory.dmp

Filesize
4KB

Download
memory/1964-59-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

Filesize
8KB

Download
memory/1964-64-0x000000001AB54000-0x000000001AB56000-memory.dmp

Filesize
8KB

Download
memory/1964-63-0x000000001AB50000-0x000000001AB52000-memory.dmp

Filesize
8KB

Download
memory/1964-62-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1964-61-0x000000001ABD0000-0x000000001ABD1000-memory.dmp

Filesize
4KB

Download
memory/1964-60-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1964-74-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1964-75-0x0000000002630000-0x0000000002643000-memory.dmp

Filesize
76KB

Download
memory/1964-76-0x000000001AB5A000-0x000000001AB79000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads