Analysis
-
max time kernel
155s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 06:03
Static task
static1
Behavioral task
behavioral1
Sample
8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d.ps1
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d.ps1
Resource
win10v2004-20220414-en
General
-
Target
8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d.ps1
-
Size
2KB
-
MD5
68d9b2bda86ac6ce7dbfd3ee9fd12508
-
SHA1
89ecae4065f2f2d7bdd3e910da4bddcd350afbcf
-
SHA256
8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d
-
SHA512
b62d41e49a2b87ad9c9fb18a02891833c08499a05099e964a6ba75c2cfffc46369d611462f6b1dec3b93ed17f2c3c015f909127738b773c77770d80a0029e79c
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 1728 powershell.exe 6 1728 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1304 powershell.exe 1728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1304 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
powershell.exepowershell.execsc.exedescription pid process target process PID 1304 wrote to memory of 1728 1304 powershell.exe powershell.exe PID 1304 wrote to memory of 1728 1304 powershell.exe powershell.exe PID 1304 wrote to memory of 1728 1304 powershell.exe powershell.exe PID 1304 wrote to memory of 1728 1304 powershell.exe powershell.exe PID 1728 wrote to memory of 472 1728 powershell.exe csc.exe PID 1728 wrote to memory of 472 1728 powershell.exe csc.exe PID 1728 wrote to memory of 472 1728 powershell.exe csc.exe PID 1728 wrote to memory of 472 1728 powershell.exe csc.exe PID 472 wrote to memory of 576 472 csc.exe cvtres.exe PID 472 wrote to memory of 576 472 csc.exe cvtres.exe PID 472 wrote to memory of 576 472 csc.exe cvtres.exe PID 472 wrote to memory of 576 472 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k_wzd6vn.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6930.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6920.tmp"4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES6930.tmpFilesize
1KB
MD573abfb0954f6a41f13a17ac0c68571cc
SHA15cd05abbc6489955f364383bcf419affd498cbd9
SHA256ab1cf1917df71389cc4b4ab2388598ef9919c59a4474812b7d6341ab129f31b9
SHA51212129a117e63b5973b9301a8539557c98d5dcd4fc2433f0c8898dc8cdf6e11ca7e41a42d4461f6046be2d03cdcc7883ee56e5e7ef8827e6a3a4ef5df6cec2a1b
-
C:\Users\Admin\AppData\Local\Temp\k_wzd6vn.dllFilesize
3KB
MD5d6d07fb2c42e429302d0779d76563a56
SHA12ff667f1691cf5ab1756bb7bd4470dc5d5e95705
SHA256c6d9f1f443d57c500efb982eb938e96587820f977ee3a6fe33d8ac89f86941ae
SHA51298d5f2b15a4774c37c8230266612f44d682813e152cc4817e0b68dae5e42e0427fb39256463edd03d61d1750455376c6af3fb9664671a402e5fa5162db97f7ea
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC6920.tmpFilesize
652B
MD5d2bf5525f27774ca63c72fc9f23013f5
SHA14665b042b6810deb2938b04825f5ccb77c5683ce
SHA256efe10043b114cd76d546fc5ea33f818131d818d402a98dcb037d651c8d8e47dc
SHA512ef4102b3872d0c573a457574cf39e944d81bbf489a96c90956b309acba5d63ab8c386ed7ea1691cf916842fa61a77b3ef3638a71275e4e735ebccd5797efdc19
-
\??\c:\Users\Admin\AppData\Local\Temp\k_wzd6vn.0.csFilesize
769B
MD5e9229c2b2f7494c86966a0c45419f53e
SHA18cc6e18d196930758675891d9c9761b0812e8451
SHA25602436cabe1b2c68359a333b522304c53b2a721123f935991e6f6684d1fab1def
SHA5122f1a42a5c0de45f412e13cad05b836d05d80aeb7bc89e723edc8c495d65e4d9fb3d2748fefe19cb9857cbefdb175a02f9b7ea4dd9afb729550694360d332219b
-
\??\c:\Users\Admin\AppData\Local\Temp\k_wzd6vn.cmdlineFilesize
287B
MD5491297f3703da25afcbb5488e247bba1
SHA1f13b77cfbddec88a90f412e8f860aa696daf6de3
SHA256cad19010e801c939c491edd20e180b125713b522a79454c8ea002ac29f651e0a
SHA51260307e626eb1a5ba68fc911165759c7fba985788575a4b2b6ac460b717c68cbe3fed74361feac810830744f81035e059afa9e8259329ccc0d9ed8a87a46cb07d
-
memory/472-61-0x0000000000000000-mapping.dmp
-
memory/576-64-0x0000000000000000-mapping.dmp
-
memory/1304-57-0x000000000254B000-0x000000000256A000-memory.dmpFilesize
124KB
-
memory/1304-54-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/1304-55-0x000007FEF3A20000-0x000007FEF457D000-memory.dmpFilesize
11.4MB
-
memory/1304-56-0x0000000002544000-0x0000000002547000-memory.dmpFilesize
12KB
-
memory/1728-60-0x0000000073770000-0x0000000073D1B000-memory.dmpFilesize
5.7MB
-
memory/1728-59-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1728-58-0x0000000000000000-mapping.dmp