1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a

General

Target

1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a.ps1
Size

2KB
MD5

eef0c8da7ab6b462a56467f39e952836
SHA1

ce494b7212c4d1da3fb6291d796e4718cfaa4338
SHA256

1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a
SHA512

b442b165b9c1d33e5071d00e22f863e7d52d20b6032b8df56277a1f5d1220b47fab4c7ed04e5a72b36daae3e3040f35f81cf3f9768307ebc90349f1af95c5213

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1824 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1824 powershell.exe

pid	process
1824	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1824	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1824 wrote to memory of 608	1824	powershell.exe	csc.exe
PID 1824 wrote to memory of 608	1824	powershell.exe	csc.exe
PID 1824 wrote to memory of 608	1824	powershell.exe	csc.exe
PID 608 wrote to memory of 1564	608	csc.exe	cvtres.exe
PID 608 wrote to memory of 1564	608	csc.exe	cvtres.exe
PID 608 wrote to memory of 1564	608	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3v9tj9fl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA7D.tmp"
3⤵
PID:1564

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3v9tj9fl.dll
Filesize
3KB

MD5
d7ed7811dc707faccd4a8808abea2e71

SHA1
f32c3c04f96fbc5a2e9b50c51e295029fcd60eb9

SHA256
cf7d7e7645383865c3ce44fe80d3395e969da5b9f1cba8041add4358baa4cb39

SHA512
9dc36e461b9ac2bcd236436cd4b48dc7bea3488717af7c13ec4bf640798bea6b32408c862096afc739d91762980b435988a6da3378b2693208591b25a30d92e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3v9tj9fl.pdb
Filesize
7KB

MD5
9c950838d4d513d8a46f286b226be19e

SHA1
297af6ad26fd1f111271095975074cb8c3e9d068

SHA256
f939551a25b4ea9ffb0039cbf2a1cd99d409b2cc5f7fd5f21a90a63c1c03f7e8

SHA512
aa8bc789a22439865a3f6aa8b15a7e423e802f5b0446f2612c1c9e8bab0df9475357149857234be7fe989f11085aa0ace3ff8a016503166c46b0844c05c07084

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7E.tmp
Filesize
1KB

MD5
b90851c15a63c27fe371b693979ad2b8

SHA1
8cc2616193a2ffaee5d6a386dc70dc522e5ec120

SHA256
c16af3a10b8b89987b66c1401512fa28dd77703224fae86fa4cc3cc86c9017ff

SHA512
d628fc27321d702b74ef5ddb3b649856294a6bc48ecf4ae5da1ab8714da5a9bf204e76363e736f41edb3df1cf6caf36007dc61c84a686719a1dbad387a58cc45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3v9tj9fl.0.cs
Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3v9tj9fl.cmdline
Filesize
309B

MD5
9ca86c8481528a0f776600214b3e41c0

SHA1
af58613ea8325acbe979fdfc18c07ca7c49a460e

SHA256
1579c0a355e33cd8df13a43c0446a906d69aa17cd212e6fed08bafb062b9f3ec

SHA512
57354d9701e1b8b272b8bac862709cc140559c056ba3d25c555734721aef32a50d2cf82f48d7dc5863c26af6c7332fe6b8b4858c7c29fa46ed4433f98ec246b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA7D.tmp
Filesize
652B

MD5
4763bbe760882f8a44c9c18e681626f7

SHA1
9cfd25712c46a6c66e874c731688716fea236012

SHA256
0c78385cbd778a1bbc63639e07175971ee09fb8975719447483420a993169ffe

SHA512
6b312d6bf38689f0b1256f080e5a22ab789881d92b56d40a90715ba51bce752c96147ffd350c4b08322becd0def827bec61fc44d5b9a4981f40812df02079b31

Download Submit
memory/608-57-0x0000000000000000-mapping.dmp

Download
memory/1564-60-0x0000000000000000-mapping.dmp

Download
memory/1824-61-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/1824-62-0x00000000024AB000-0x00000000024CA000-memory.dmp

Filesize
124KB

Download
memory/1824-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1824-56-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1824-55-0x000007FEF3420000-0x000007FEF3F7D000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads