3562fd71332555b853226bd01b7885c0bbbeebadeacd5bf5764aa74db8dd89c4

General

Target

3562fd71332555b853226bd01b7885c0bbbeebadeacd5bf5764aa74db8dd89c4.ps1
Size

2KB
MD5

7364f1da81ead7aa33f01ac19d7d6b39
SHA1

48139ab3b0f4df7da54a45a2af5e7f785fee791d
SHA256

3562fd71332555b853226bd01b7885c0bbbeebadeacd5bf5764aa74db8dd89c4
SHA512

bac488dcd05f7f0df02aab0801cd5d03cd123140b4281f8eacb052db55ce2badf0d5df2d68df50ea8e1b2964a9adef0d29588d0a9077acb168373f440cd79fb4

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4764 392 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

392 powershell.exe
392 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 392 powershell.exe

pid	pid_target	process	target process
4764	392	WerFault.exe	powershell.exe

pid	process
392	powershell.exe
392	powershell.exe

description	pid	process
Token: SeDebugPrivilege	392	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 392 wrote to memory of 3600	392	powershell.exe	csc.exe
PID 392 wrote to memory of 3600	392	powershell.exe	csc.exe
PID 3600 wrote to memory of 924	3600	csc.exe	cvtres.exe
PID 3600 wrote to memory of 924	3600	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3562fd71332555b853226bd01b7885c0bbbeebadeacd5bf5764aa74db8dd89c4.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mlkg5y0u\mlkg5y0u.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68C1.tmp" "c:\Users\Admin\AppData\Local\Temp\mlkg5y0u\CSC41E14458958452182DA3BE615C6C2A.TMP"
3⤵
PID:924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 392 -s 2044
2⤵
- Program crash
PID:4764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 392 -ip 392
1⤵
PID:5016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES68C1.tmp
Filesize
1KB

MD5
571f97acb970ba71af50651b5119e4bd

SHA1
d7b7a7c860feee3515ac095378d59cdc776b02fc

SHA256
19bd165005ae60a976d2e2d9167905eda78c70c2464ec3c44400d216e3762b26

SHA512
97c2aa0053020b6a223bc1b0d1212cd74aad052604b0920958b0ea9984dc03df9b33efcd09538130ecc810b5a9bbd643cab05e9344e2a2b4c350ab9c0b740f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\mlkg5y0u\mlkg5y0u.dll
Filesize
3KB

MD5
ade69e92898534f505ea7b5a8b2de6da

SHA1
8fb113908a604412913db692997edc8d98e3a4c8

SHA256
77df92d342a52f02c07cba0436603c5672e201ff2295ba0337fafaa4df65850d

SHA512
a89f63453ebf3494cf01ad67ac5d4599941e0f3ec9d8ff6b9b03fa8469324cb02df6594779d543427f5595b6c3969dea19c78d6c41eff8dce41ff06887f00987

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mlkg5y0u\CSC41E14458958452182DA3BE615C6C2A.TMP
Filesize
652B

MD5
029d2e3579604a1cbaf492a8c2f295e4

SHA1
44c338e2d63e857a21569baa46946f58bfd28929

SHA256
b170b45e6f347d7f72d4102b33c0cb2bf125dfe3b97cb9fea477f638ea6e6ad6

SHA512
4a069ab713508b54bdbcfc8f17a25bb59cf6a80a8053fc3de8e3fae0672ab865d7c229e0ba375303c00e4f3f3776d701621ee37224bc6f8e4ad9cb0f5d943cd5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mlkg5y0u\mlkg5y0u.0.cs
Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mlkg5y0u\mlkg5y0u.cmdline
Filesize
369B

MD5
7ab81479e73ac750ef4a58cbec4afd10

SHA1
6a0fe3019cbee360ce4722a9642d9d0de3167ac2

SHA256
263b7350b0f29d8f8b50773b8f471eb89208c10b4ae50383c5e42fda6c7bead4

SHA512
abe8a20330317fdfeaaaa21446dceba6cd226f72ffe88ab3624f1c664502622ed2f78d9c3194f533910220c653457d1bd7e0e46c50cdf8dfdff1c1471a7582db

Download Submit
memory/392-130-0x000001BD2AB10000-0x000001BD2AB32000-memory.dmp

Filesize
136KB

Download
memory/392-131-0x00007FFD52380000-0x00007FFD52E41000-memory.dmp

Filesize
10.8MB

Download
memory/924-135-0x0000000000000000-mapping.dmp

Download
memory/3600-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads