1da0ce0810952354a5e288a3dd6690338228933c5ff726d317c4748a4322e6dd

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

weJNgSX4.ps1
Size

3KB
MD5

1fec6fbbfaf055b9f9809e578c9c7d43
SHA1

9b360a23ed930cdaf1a22600fad13adf87a51fef
SHA256

1da0ce0810952354a5e288a3dd6690338228933c5ff726d317c4748a4322e6dd
SHA512

0505ee6f3d6d67367d78f378a11c79d2a325e420bb6fc9bd6912d1c7d7b946aeed3ed45b2d0f7f8c2ae5ce3ea78618c6c1ed237313e8a23f1aa7d940ce22e6ed

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 1672 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1672 powershell.exe
1672 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1672 powershell.exe

flow	pid	process
10	1672	powershell.exe

pid	process
1672	powershell.exe
1672	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1672	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1672 wrote to memory of 384	1672	powershell.exe	csc.exe
PID 1672 wrote to memory of 384	1672	powershell.exe	csc.exe
PID 384 wrote to memory of 4676	384	csc.exe	cvtres.exe
PID 384 wrote to memory of 4676	384	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\weJNgSX4.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qhndu2fw\qhndu2fw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77A6.tmp" "c:\Users\Admin\AppData\Local\Temp\qhndu2fw\CSC8CC0FB205EFE4EA1A4CD88D44D29BC4.TMP"
3⤵
PID:4676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES77A6.tmp
Filesize
1KB

MD5
354d14e465d00dc7f3d8e9e932000042

SHA1
b58ed4079543b6727b0e76d7e88d4cc6b4ff6926

SHA256
a332403385a85866fb804dbf1ae0a5ef00801318125fc7e606e86542dde1dcac

SHA512
6b34bd31e3da74fed31630843a6ebfcf7bfdb5466e32951c98846461576ba071320bfeccd252db968dafea0e172d219631a056b835e81cdca3752b3c3753ccb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhndu2fw\qhndu2fw.dll
Filesize
3KB

MD5
e4b1d4f8a5180e73ca3a4b10f69c808a

SHA1
9c9f4f839cd7a9d1593df61f46be07acdfb2a100

SHA256
157c361cdc2814d4833b8f607e28e910e0c0e74f69fa19423485969c20929eea

SHA512
99dbd102e3a197fe6ed27f7801502debb95eefb1b5763e38ef6e2a2d9b0fe4c9e2c08a48c8b1daa337bd7df8ebf4d22c3d763452358e61d83f85b62af38370ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qhndu2fw\CSC8CC0FB205EFE4EA1A4CD88D44D29BC4.TMP
Filesize
652B

MD5
9ca94e428705eabbaed3ed5d9b0b04a6

SHA1
44e64630685b2660d95504b95cf013018a41ba45

SHA256
7a2eca2490dc5346bd3915b1b36842cb25135de9b8d9b22aa13174fc962a26c2

SHA512
94f52f7fdd55f69c32a22707e256881edec269b3270a08f40f4642b02e431be191a80af5a9fad779b94257a2cbfc21eee1efa0f8be57c65a99ff09f72268c60c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qhndu2fw\qhndu2fw.0.cs
Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qhndu2fw\qhndu2fw.cmdline
Filesize
369B

MD5
5631488bf7d9700e00cdc991c3e2a035

SHA1
087048ff40a6909c8dbc1388053c152af5a6cf31

SHA256
b60f4166e7ce59e8b6e97f4deac205fe5c8e57d0c297bbe04592ff69b642c009

SHA512
5fc1a84f364d2d9671b2eed47ca33bc54e8ec196ccd69f0ffd2edf86937e0f4e5b08ffc2478169b958e48a2eb730cf409be9f4c6af77d45af0f87c9affcaff10

Download Submit
memory/384-134-0x0000000000000000-mapping.dmp

Download
memory/1672-132-0x000001C0B9120000-0x000001C0B9142000-memory.dmp

Filesize
136KB

Download
memory/1672-133-0x00007FFBBC960000-0x00007FFBBD421000-memory.dmp

Filesize
10.8MB

Download
memory/1672-141-0x00007FFBBC960000-0x00007FFBBD421000-memory.dmp

Filesize
10.8MB

Download
memory/4676-137-0x0000000000000000-mapping.dmp

Download