Analysis
-
max time kernel
91s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:22
Static task
static1
Behavioral task
behavioral1
Sample
1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a.ps1
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a.ps1
Resource
win10v2004-20220414-en
General
-
Target
1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a.ps1
-
Size
2KB
-
MD5
eef0c8da7ab6b462a56467f39e952836
-
SHA1
ce494b7212c4d1da3fb6291d796e4718cfaa4338
-
SHA256
1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a
-
SHA512
b442b165b9c1d33e5071d00e22f863e7d52d20b6032b8df56277a1f5d1220b47fab4c7ed04e5a72b36daae3e3040f35f81cf3f9768307ebc90349f1af95c5213
Malware Config
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1712 4892 WerFault.exe powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4892 powershell.exe 4892 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4892 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 4892 wrote to memory of 1792 4892 powershell.exe csc.exe PID 4892 wrote to memory of 1792 4892 powershell.exe csc.exe PID 1792 wrote to memory of 4968 1792 csc.exe cvtres.exe PID 1792 wrote to memory of 4968 1792 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ibzt4dnx\ibzt4dnx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0F5.tmp" "c:\Users\Admin\AppData\Local\Temp\ibzt4dnx\CSC8D6930ED70074BE8A995F0862522331.TMP"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4892 -s 16482⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 4892 -ip 48921⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESB0F5.tmpFilesize
1KB
MD50edf3fdc30dec9cf6f20393b0679a86e
SHA10e198fb4b7c40fd1f076014259ffda7e23b10462
SHA25666e80a9959b2af756125e710f9f45e335aabc316da338359f854207909f27064
SHA5129ed5d44f3916237bc79445ce843686c57ba96ccdc41d26dc9c4362c2537498c3523bfd1efc569ea26ccb4f7a2000d57faa3a2ea83c24efc4519da1cf347e4d24
-
C:\Users\Admin\AppData\Local\Temp\ibzt4dnx\ibzt4dnx.dllFilesize
3KB
MD5d121d50e3b72d8a291238ebc0e2f923a
SHA12db86e4f61d946f3916039fde1732a98b01960bc
SHA25696f64fcef0e4c4a68aa9e79c25eb0d1d6d125f51c392b2c4ce31437eb848aa7b
SHA5128ea9e876dd2e88a35f494beaae76bb4a710a539d6df00546390e50c1939fd566d5ac756a6112683e4c2e42b604ffd9b95f7333a74267ce788691618036f0b642
-
\??\c:\Users\Admin\AppData\Local\Temp\ibzt4dnx\CSC8D6930ED70074BE8A995F0862522331.TMPFilesize
652B
MD5bf082753ead337530c02947204aa5103
SHA13565be781cab83e7e1edf8e82dc539789432b608
SHA256be9fd64db580465ada3a297a55948f32bac2553ff5dbe8ad9fbc249033e0653a
SHA512d85b10b1a3577bd24a719b3cf7e9a4b3b580a362cd39522912f09553fffeaa9230ea0a6236a2c968c16934792305ed60176b417d96e159a1a375be47075ad47b
-
\??\c:\Users\Admin\AppData\Local\Temp\ibzt4dnx\ibzt4dnx.0.csFilesize
468B
MD552cc39367c8ed123b15e831e52cbd25f
SHA1497593af41731aedd939d2234d8d117c57a6d726
SHA2565a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012
SHA512ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc
-
\??\c:\Users\Admin\AppData\Local\Temp\ibzt4dnx\ibzt4dnx.cmdlineFilesize
369B
MD56b6c13b0273f64e0d15e9d7d62c74ce3
SHA15d2b2d90a5bef3cf8b0395dd1224c72d5a84b84d
SHA256e4ce0f75667cb094260970c592ff089281560abe1d4f268875d691e2c83634eb
SHA512e47c1f146a5685c6386b360dbb94f4439430d75be33f44da5d9bf27f14c2b4dc5ddb5e5d58eb40035ee06ea60ebebbe771e81e1926d5af30d9cf830c91b2ed47
-
memory/1792-132-0x0000000000000000-mapping.dmp
-
memory/4892-130-0x0000019DBF950000-0x0000019DBF972000-memory.dmpFilesize
136KB
-
memory/4892-131-0x00007FFB5C080000-0x00007FFB5CB41000-memory.dmpFilesize
10.8MB
-
memory/4968-135-0x0000000000000000-mapping.dmp