454add1bfdc98b944ed97984f1771ec09c9a4c869e3fb6936573d0db8a83ac30

Analysis

max time kernel
138s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2022 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ZyLuMsm.ps1
Size

3KB
MD5

236285a8cc63669302f69d8087edb66e
SHA1

8581592c092100505a15f701697584809cf33ccf
SHA256

454add1bfdc98b944ed97984f1771ec09c9a4c869e3fb6936573d0db8a83ac30
SHA512

c36bb0f60610531b4d6704baeb193fce0ad97f4915e02a2a17daa54a12ffd4777c5ac2240fe00ede18b82da92afa263ae364e0dfbae9abbb0152ed33cfc7e088

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 1868 powershell.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1868 powershell.exe
1868 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1868 powershell.exe

flow	pid	process
12	1868	powershell.exe

pid	process
1868	powershell.exe
1868	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1868	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1868 wrote to memory of 4264	1868	powershell.exe	csc.exe
PID 1868 wrote to memory of 4264	1868	powershell.exe	csc.exe
PID 4264 wrote to memory of 4944	4264	csc.exe	cvtres.exe
PID 4264 wrote to memory of 4944	4264	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0ZyLuMsm.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqex552q\cqex552q.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA36.tmp" "c:\Users\Admin\AppData\Local\Temp\cqex552q\CSC6D78DA0B81F949F293ACA0A6D848C1A.TMP"
3⤵
PID:4944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEA36.tmp
Filesize
1KB

MD5
b3a6f2c5fdacd6bdde26a1eae284ee4f

SHA1
7bb5cc3ce95ffc0c7bf3250d17ae184e4ef89565

SHA256
6830d87a3ed6069d583b5a50122f3dc4f502e93c18a0e8ddae34d2faaffab32f

SHA512
a32fb7c0a7bb3bfb4ef105d80784df3f8e6dad88ba6ed464ae266322a5ddfa9e76cb45b2fcf43df81cd5ea3a1848926ba9a338148f4b8c53aadcf814aca6ccfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqex552q\cqex552q.dll
Filesize
3KB

MD5
9f985e2bdf5815da5a8b701282bd6431

SHA1
862be63e20e049d07d5c86498ead200e2a9dcd62

SHA256
7bc60b38efdb0b7a1119720ce47b6173bf44a5360efba138619a0e7368c0dfae

SHA512
34708a7761c1203e264b39d1a4cca2db91fb639d8f8492b06ef6a6be0ba1c1a0b180a8e2249812594ad63055466af0ff110794ba37785d5d5aac31c6eeb531f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqex552q\CSC6D78DA0B81F949F293ACA0A6D848C1A.TMP
Filesize
652B

MD5
7b34a400c18b00c5622d456ac4960730

SHA1
09d8a8ab2337807c1059810ea9a190c842606e4f

SHA256
17e96f1114eb8d9d581e135338283a6d1087773172634c8aefbf8f86a175e477

SHA512
81080c5bc96f5825db9d24128efdb4e4a4db7312c4272bfd5b607584d2112971472841377fa9a202bf6a2f8eef18895d0e72642d97ec591d7ad18817341b4e1f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqex552q\cqex552q.0.cs
Filesize
468B

MD5
52cc39367c8ed123b15e831e52cbd25f

SHA1
497593af41731aedd939d2234d8d117c57a6d726

SHA256
5a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012

SHA512
ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqex552q\cqex552q.cmdline
Filesize
369B

MD5
18709a48108b1d20f176df808ee2c274

SHA1
a22cc0b2e052c95f8226c0ef22c0d3304381b809

SHA256
15cd8628e483451afa93de4c31ba2ee18ed0d535a546d6b1af5ee637139461f1

SHA512
7d120635257f898b2c2aa0f62e8ad0b6efd46488fafb6a1f0bd28b344a7beefbc358923537825561e9697034d950cc1de1a1b1472ad067bf53e2762c1b893f5c

Download Submit
memory/1868-132-0x00000207DBAA0000-0x00000207DBAC2000-memory.dmp

Filesize
136KB

Download
memory/1868-133-0x00007FFC9FA40000-0x00007FFCA0501000-memory.dmp

Filesize
10.8MB

Download
memory/1868-141-0x00007FFC9FA40000-0x00007FFCA0501000-memory.dmp

Filesize
10.8MB

Download
memory/4264-134-0x0000000000000000-mapping.dmp

Download
memory/4944-137-0x0000000000000000-mapping.dmp

Download