3562fd71332555b853226bd01b7885c0bbbeebadeacd5bf5764aa74db8dd89c4

General

Target

3562fd71332555b853226bd01b7885c0bbbeebadeacd5bf5764aa74db8dd89c4.ps1
Size

2KB
MD5

7364f1da81ead7aa33f01ac19d7d6b39
SHA1

48139ab3b0f4df7da54a45a2af5e7f785fee791d
SHA256

3562fd71332555b853226bd01b7885c0bbbeebadeacd5bf5764aa74db8dd89c4
SHA512

bac488dcd05f7f0df02aab0801cd5d03cd123140b4281f8eacb052db55ce2badf0d5df2d68df50ea8e1b2964a9adef0d29588d0a9077acb168373f440cd79fb4

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1284 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1284 powershell.exe

pid	process
1284	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1284	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1284 wrote to memory of 1360	1284	powershell.exe	csc.exe
PID 1284 wrote to memory of 1360	1284	powershell.exe	csc.exe
PID 1284 wrote to memory of 1360	1284	powershell.exe	csc.exe
PID 1360 wrote to memory of 1540	1360	csc.exe	cvtres.exe
PID 1360 wrote to memory of 1540	1360	csc.exe	cvtres.exe
PID 1360 wrote to memory of 1540	1360	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3562fd71332555b853226bd01b7885c0bbbeebadeacd5bf5764aa74db8dd89c4.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5unmu-sx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1067.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1066.tmp"
3⤵
PID:1540

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5unmu-sx.dll
Filesize
3KB

MD5
23959bd4a9f9af44a93057dd902d1632

SHA1
f3ae907949ca39e4e86b07cd29b174a6317f1acb

SHA256
ec4ffbd96097b7fa38064c45711810be6b4fe5c9c46673c9acdbe4ecd91417fd

SHA512
9380b5812ba632f3fe8b40f54a50f2b2f93e7451c3afa5dc15192c6bb2b9acc96c81b9e4e34a0a6bebf4d99ab8fab5e9277f81b9ae3ae0c838e83d55c3794d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5unmu-sx.pdb
Filesize
7KB

MD5
704901f1a3fed24a9a1964d25280cec0

SHA1
eef4dc061360bca282240b1c8d9087678b2ce461

SHA256
d662682727daed4498652fdd20f984b123977f5a7bb44f6e1bd4525c16f258ae

SHA512
26ce95885a318e06c3243f8614898633b8801e8467d214d014d3e0a10ab1b1e74679a813f1aad4a2c7bed04c19fb39a74bb88b661e5f235d8fe53927dcf0f290

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1067.tmp
Filesize
1KB

MD5
07ed059b7e31bcca017a2c1e0e5fe9d1

SHA1
10a240e8deb8a8bdbb95ae4922e79d24a42d81c5

SHA256
438acbd1ed88dbbd69d6d33b0e1cf514e47512950474d71dc7cfbc7e8b6473fa

SHA512
3d2c11190fbf8fe58ea81a24b65e922aefb0eae9559d098f756767d70445796543621040bbe07338d27fb3e5f568f38293f63ef11ceae7717d73e7afe28e25fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5unmu-sx.0.cs
Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5unmu-sx.cmdline
Filesize
309B

MD5
d71e0a6520d8a50d3c2a433de7289be4

SHA1
9225ea050a816a736445725bbee2fa6208fbedb2

SHA256
e39b988d5e006278b845afc135a953e865cd2678300e23cb8bf8b17ac633c4b8

SHA512
beaffce2b5327a916bab03dfc7fef71bc38b3d583af78bfb1482b2e45754ce1de4852a5f864744f15be4fc8967cb0441736576529657e67fb39746505df038f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1066.tmp
Filesize
652B

MD5
17473aae3f48f82068196841a41a7949

SHA1
f5e7794e76f185dc70ac381b25c9890c8519efbe

SHA256
dbaa772f71fd509e6bd639e83e8e577886845138e8d26354234592f122afeb75

SHA512
ddfd1d05366e2c60aca374a37a61c45cf3703c74f9ca07c4e49464101a57fd97c168e4988b33d62e5bac2f5b2d4f427f3dfa0cce0da4a792e87efa0ea55f5042

Download Submit
memory/1284-65-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/1284-55-0x000007FEF3C90000-0x000007FEF47ED000-memory.dmp

Filesize
11.4MB

Download
memory/1284-56-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1284-54-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1284-66-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download
memory/1360-57-0x0000000000000000-mapping.dmp

Download
memory/1540-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads