8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d

General

Target

8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d.ps1
Size

2KB
MD5

68d9b2bda86ac6ce7dbfd3ee9fd12508
SHA1

89ecae4065f2f2d7bdd3e910da4bddcd350afbcf
SHA256

8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d
SHA512

b62d41e49a2b87ad9c9fb18a02891833c08499a05099e964a6ba75c2cfffc46369d611462f6b1dec3b93ed17f2c3c015f909127738b773c77770d80a0029e79c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1728 powershell.exe
6 1728 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1304 powershell.exe
1728 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1304 powershell.exe
Token: SeDebugPrivilege 1728 powershell.exe

flow	pid	process
4	1728	powershell.exe
6	1728	powershell.exe

pid	process
1304	powershell.exe
1728	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1304 wrote to memory of 1728	1304	powershell.exe	powershell.exe
PID 1304 wrote to memory of 1728	1304	powershell.exe	powershell.exe
PID 1304 wrote to memory of 1728	1304	powershell.exe	powershell.exe
PID 1304 wrote to memory of 1728	1304	powershell.exe	powershell.exe
PID 1728 wrote to memory of 472	1728	powershell.exe	csc.exe
PID 1728 wrote to memory of 472	1728	powershell.exe	csc.exe
PID 1728 wrote to memory of 472	1728	powershell.exe	csc.exe
PID 1728 wrote to memory of 472	1728	powershell.exe	csc.exe
PID 472 wrote to memory of 576	472	csc.exe	cvtres.exe
PID 472 wrote to memory of 576	472	csc.exe	cvtres.exe
PID 472 wrote to memory of 576	472	csc.exe	cvtres.exe
PID 472 wrote to memory of 576	472	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k_wzd6vn.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6930.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6920.tmp"
4⤵
PID:576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6930.tmp
Filesize
1KB

MD5
73abfb0954f6a41f13a17ac0c68571cc

SHA1
5cd05abbc6489955f364383bcf419affd498cbd9

SHA256
ab1cf1917df71389cc4b4ab2388598ef9919c59a4474812b7d6341ab129f31b9

SHA512
12129a117e63b5973b9301a8539557c98d5dcd4fc2433f0c8898dc8cdf6e11ca7e41a42d4461f6046be2d03cdcc7883ee56e5e7ef8827e6a3a4ef5df6cec2a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\k_wzd6vn.dll
Filesize
3KB

MD5
d6d07fb2c42e429302d0779d76563a56

SHA1
2ff667f1691cf5ab1756bb7bd4470dc5d5e95705

SHA256
c6d9f1f443d57c500efb982eb938e96587820f977ee3a6fe33d8ac89f86941ae

SHA512
98d5f2b15a4774c37c8230266612f44d682813e152cc4817e0b68dae5e42e0427fb39256463edd03d61d1750455376c6af3fb9664671a402e5fa5162db97f7ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6920.tmp
Filesize
652B

MD5
d2bf5525f27774ca63c72fc9f23013f5

SHA1
4665b042b6810deb2938b04825f5ccb77c5683ce

SHA256
efe10043b114cd76d546fc5ea33f818131d818d402a98dcb037d651c8d8e47dc

SHA512
ef4102b3872d0c573a457574cf39e944d81bbf489a96c90956b309acba5d63ab8c386ed7ea1691cf916842fa61a77b3ef3638a71275e4e735ebccd5797efdc19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k_wzd6vn.0.cs
Filesize
769B

MD5
e9229c2b2f7494c86966a0c45419f53e

SHA1
8cc6e18d196930758675891d9c9761b0812e8451

SHA256
02436cabe1b2c68359a333b522304c53b2a721123f935991e6f6684d1fab1def

SHA512
2f1a42a5c0de45f412e13cad05b836d05d80aeb7bc89e723edc8c495d65e4d9fb3d2748fefe19cb9857cbefdb175a02f9b7ea4dd9afb729550694360d332219b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k_wzd6vn.cmdline
Filesize
287B

MD5
491297f3703da25afcbb5488e247bba1

SHA1
f13b77cfbddec88a90f412e8f860aa696daf6de3

SHA256
cad19010e801c939c491edd20e180b125713b522a79454c8ea002ac29f651e0a

SHA512
60307e626eb1a5ba68fc911165759c7fba985788575a4b2b6ac460b717c68cbe3fed74361feac810830744f81035e059afa9e8259329ccc0d9ed8a87a46cb07d

Download Submit
memory/472-61-0x0000000000000000-mapping.dmp

Download
memory/576-64-0x0000000000000000-mapping.dmp

Download
memory/1304-57-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/1304-54-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/1304-55-0x000007FEF3A20000-0x000007FEF457D000-memory.dmp

Filesize
11.4MB

Download
memory/1304-56-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/1728-60-0x0000000073770000-0x0000000073D1B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-59-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1728-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads