8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d

General

Target

8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d.ps1
Size

2KB
MD5

68d9b2bda86ac6ce7dbfd3ee9fd12508
SHA1

89ecae4065f2f2d7bdd3e910da4bddcd350afbcf
SHA256

8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d
SHA512

b62d41e49a2b87ad9c9fb18a02891833c08499a05099e964a6ba75c2cfffc46369d611462f6b1dec3b93ed17f2c3c015f909127738b773c77770d80a0029e79c

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

18 4848 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1424 powershell.exe
1424 powershell.exe
4848 powershell.exe
4848 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1424 powershell.exe
Token: SeDebugPrivilege 4848 powershell.exe

flow	pid	process
18	4848	powershell.exe

pid	process
1424	powershell.exe
1424	powershell.exe
4848	powershell.exe
4848	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.exepowershell.execsc.exe

description	pid	process	target process
PID 1424 wrote to memory of 4848	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 4848	1424	powershell.exe	powershell.exe
PID 1424 wrote to memory of 4848	1424	powershell.exe	powershell.exe
PID 4848 wrote to memory of 1512	4848	powershell.exe	csc.exe
PID 4848 wrote to memory of 1512	4848	powershell.exe	csc.exe
PID 4848 wrote to memory of 1512	4848	powershell.exe	csc.exe
PID 1512 wrote to memory of 2024	1512	csc.exe	cvtres.exe
PID 1512 wrote to memory of 2024	1512	csc.exe	cvtres.exe
PID 1512 wrote to memory of 2024	1512	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8d17d3a5f3b094938396495331e3dde990d8903736e46318bab7a7af20f9c31d.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvtjzcvx\bvtjzcvx.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES687E.tmp" "c:\Users\Admin\AppData\Local\Temp\bvtjzcvx\CSC1AD815FFB6574C52A2BA3279F548758C.TMP"
4⤵
PID:2024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES687E.tmp
Filesize
1KB

MD5
fc2bcf11d4fb591f68cdbad562fc96c3

SHA1
05999d2803af59dc0e8b5e2ccb6d1b3bd394675c

SHA256
a1f6de606dc8221974338faa5df42c7b1c8bb33764b6678d5624fec7cce25b78

SHA512
6023d1eb60f03d47fc9134136a329048432af637b062fe30f1dca151939609b9efa83ed7e3f77ea68ed068dc7bb20a3f1a35311baae5e8a0e2874cf6c82694a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvtjzcvx\bvtjzcvx.dll
Filesize
3KB

MD5
42c316a0a1cc8406d599b577056a4df0

SHA1
b6fede1e83635fb41830186fef34f8b0c149a1ee

SHA256
f661317cd4b94f57931be8309947c0400f2f39e03b8d072bee42d292565d0232

SHA512
5f20893e426f3bda8f962533036aac98998e0ad1a08dea0c960a24b3c5e1cd3abf4ccc54c89c5c8957efadfd79dcd633172427a9ad1d2a6978f077bb6c5a0855

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvtjzcvx\CSC1AD815FFB6574C52A2BA3279F548758C.TMP
Filesize
652B

MD5
a0bd56c4524a54838bbc46464dc26e19

SHA1
3dbdbce99225b8a2a1f18924fabfecc3228a745e

SHA256
b531c312d06a7533e8eaf6fbc2be5dcfc327c96af4a832845f754a4ab50c8994

SHA512
f7baaf22eed5afdf5197dd82db4f303ef031215ef53cc0a9650cc43918f050345b9887fd30046c8d59194d26d0bbc41ababce524220dd7ba9ffbcb8d5b81cb3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvtjzcvx\bvtjzcvx.0.cs
Filesize
769B

MD5
e9229c2b2f7494c86966a0c45419f53e

SHA1
8cc6e18d196930758675891d9c9761b0812e8451

SHA256
02436cabe1b2c68359a333b522304c53b2a721123f935991e6f6684d1fab1def

SHA512
2f1a42a5c0de45f412e13cad05b836d05d80aeb7bc89e723edc8c495d65e4d9fb3d2748fefe19cb9857cbefdb175a02f9b7ea4dd9afb729550694360d332219b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bvtjzcvx\bvtjzcvx.cmdline
Filesize
324B

MD5
b7f716f31e95f5ae46f86ed913f1cab7

SHA1
56ef11eaef9dfa3c16335bb255586c033d05bf94

SHA256
f7784ede1cc1f2198aee0245807bc18b4486fa997c01f63fd1070bad96f1bd54

SHA512
20cbe4f940dbf0a84dcaea5e3063052d833063a318a4c96a7570810682b3b2d1ba1ad1b6f2915f60c9a2dca252db0258ad79bdc9d01ba0b564684e83e36405f0

Download Submit
memory/1424-131-0x00007FFCB6ED0000-0x00007FFCB7991000-memory.dmp

Filesize
10.8MB

Download
memory/1424-132-0x00000290BBD70000-0x00000290BBEE6000-memory.dmp

Filesize
1.5MB

Download
memory/1424-133-0x00000290BC100000-0x00000290BC30A000-memory.dmp

Filesize
2.0MB

Download
memory/1424-130-0x00000290A1870000-0x00000290A1892000-memory.dmp

Filesize
136KB

Download
memory/1512-144-0x0000000000000000-mapping.dmp

Download
memory/2024-147-0x0000000000000000-mapping.dmp

Download
memory/4848-135-0x0000000004E80000-0x0000000004EB6000-memory.dmp

Filesize
216KB

Download
memory/4848-143-0x0000000006B50000-0x0000000006B6A000-memory.dmp

Filesize
104KB

Download
memory/4848-142-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/4848-140-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/4848-139-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4848-138-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4848-137-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/4848-136-0x00000000055F0000-0x0000000005C18000-memory.dmp

Filesize
6.2MB

Download
memory/4848-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads