1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a

General

Target

1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a.ps1
Size

2KB
MD5

eef0c8da7ab6b462a56467f39e952836
SHA1

ce494b7212c4d1da3fb6291d796e4718cfaa4338
SHA256

1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a
SHA512

b442b165b9c1d33e5071d00e22f863e7d52d20b6032b8df56277a1f5d1220b47fab4c7ed04e5a72b36daae3e3040f35f81cf3f9768307ebc90349f1af95c5213

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1712 4892 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4892 powershell.exe
4892 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4892 powershell.exe

pid	pid_target	process	target process
1712	4892	WerFault.exe	powershell.exe

pid	process
4892	powershell.exe
4892	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4892	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 4892 wrote to memory of 1792	4892	powershell.exe	csc.exe
PID 4892 wrote to memory of 1792	4892	powershell.exe	csc.exe
PID 1792 wrote to memory of 4968	1792	csc.exe	cvtres.exe
PID 1792 wrote to memory of 4968	1792	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1670285f43fbf97e6c53349a9518b7daa4ea147481be976633c1ff39dbc6e09a.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ibzt4dnx\ibzt4dnx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0F5.tmp" "c:\Users\Admin\AppData\Local\Temp\ibzt4dnx\CSC8D6930ED70074BE8A995F0862522331.TMP"
3⤵
PID:4968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4892 -s 1648
2⤵
- Program crash
PID:1712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4892 -ip 4892
1⤵
PID:1084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0F5.tmp
Filesize
1KB

MD5
0edf3fdc30dec9cf6f20393b0679a86e

SHA1
0e198fb4b7c40fd1f076014259ffda7e23b10462

SHA256
66e80a9959b2af756125e710f9f45e335aabc316da338359f854207909f27064

SHA512
9ed5d44f3916237bc79445ce843686c57ba96ccdc41d26dc9c4362c2537498c3523bfd1efc569ea26ccb4f7a2000d57faa3a2ea83c24efc4519da1cf347e4d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibzt4dnx\ibzt4dnx.dll
Filesize
3KB

MD5
d121d50e3b72d8a291238ebc0e2f923a

SHA1
2db86e4f61d946f3916039fde1732a98b01960bc

SHA256
96f64fcef0e4c4a68aa9e79c25eb0d1d6d125f51c392b2c4ce31437eb848aa7b

SHA512
8ea9e876dd2e88a35f494beaae76bb4a710a539d6df00546390e50c1939fd566d5ac756a6112683e4c2e42b604ffd9b95f7333a74267ce788691618036f0b642

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ibzt4dnx\CSC8D6930ED70074BE8A995F0862522331.TMP
Filesize
652B

MD5
bf082753ead337530c02947204aa5103

SHA1
3565be781cab83e7e1edf8e82dc539789432b608

SHA256
be9fd64db580465ada3a297a55948f32bac2553ff5dbe8ad9fbc249033e0653a

SHA512
d85b10b1a3577bd24a719b3cf7e9a4b3b580a362cd39522912f09553fffeaa9230ea0a6236a2c968c16934792305ed60176b417d96e159a1a375be47075ad47b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ibzt4dnx\ibzt4dnx.0.cs
Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ibzt4dnx\ibzt4dnx.cmdline
Filesize
369B

MD5
6b6c13b0273f64e0d15e9d7d62c74ce3

SHA1
5d2b2d90a5bef3cf8b0395dd1224c72d5a84b84d

SHA256
e4ce0f75667cb094260970c592ff089281560abe1d4f268875d691e2c83634eb

SHA512
e47c1f146a5685c6386b360dbb94f4439430d75be33f44da5d9bf27f14c2b4dc5ddb5e5d58eb40035ee06ea60ebebbe771e81e1926d5af30d9cf830c91b2ed47

Download Submit
memory/1792-132-0x0000000000000000-mapping.dmp

Download
memory/4892-130-0x0000019DBF950000-0x0000019DBF972000-memory.dmp

Filesize
136KB

Download
memory/4892-131-0x00007FFB5C080000-0x00007FFB5CB41000-memory.dmp

Filesize
10.8MB

Download
memory/4968-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads