e9a1ce3417838013412f81425ef74a37608754586722e00cacb333ba88eb9aa7

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/09/2022, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lkndwsjds.ps1
Size

1.6MB
MD5

43b8002185775160d5b83de4a210dd35
SHA1

62202c63aeef127ba0fb2c3ba1011d5f57b7bd61
SHA256

9251fb4f0360db6cd155676c3abf99a5dcfb8b2de560a43ef36d9eec7718f987
SHA512

f9bb592c7068e9a5f437b200548fb3edca4e889ac0eba7a9ddc9d2f1797cfa473848ddf2636f38ec205a625df40561e9998e89e6682a5abf3a6b399455186f9e
SSDEEP

24576:cCrxYbz4x5sfmFGtW4FnXVROmygccvaP0iP3:krUGtbXDOnB8I

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
948	powershell.exe
948	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 936	948	powershell.exe	29
PID 948 wrote to memory of 936	948	powershell.exe	29
PID 948 wrote to memory of 936	948	powershell.exe	29
PID 936 wrote to memory of 1360	936	csc.exe	30
PID 936 wrote to memory of 1360	936	csc.exe	30
PID 936 wrote to memory of 1360	936	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\lkndwsjds.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqpmguz8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDF0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFDEF.tmp"
    3⤵
    PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFDF0.tmp

Filesize
1KB

MD5
bd650b1d04b1bf4d2b4a6e47fa4c7447

SHA1
a91bbd5f6a074707493d7d2fa924b0b2cf5b47ce

SHA256
89b6ec60594c7b71c770d760174df4527d5cf6ed0994b0aa2be6ad55c9ac26e0

SHA512
0025a529dd958b8eafd7039861695ad1aeb4339f72e5f21f6b04018713f76b8e9321030faae66f21e3195613073d9588a398735aeb2955e2c6140c3b3be08122

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpmguz8.dll

Filesize
3KB

MD5
54bc1acd3f099efc609b11696202382a

SHA1
69f9e2492ac33fc6ab019398e94fd4a53021f9b2

SHA256
8df011d25f3651bee1edc34c9d62c57d84cff537b69e6f5b93811364383f415e

SHA512
2dfd804b3535ab808b6f380d56105cb0f28208e27ca8029df506b64145e7ff891caca2364c38bc287e5cb66ba7b94b5dc0005b0b2f1075fa5631d501130098ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpmguz8.pdb

Filesize
7KB

MD5
a8ed1428d777e300c0d304bf0b332d0d

SHA1
db7cfe7c3eb13f8fff6eae1a7e9940a59140f6f2

SHA256
e26a487070872c050e21302982968b9f5ffe54a296092b7028bdc35fb43c5e0d

SHA512
3ff350bc1f5fc8879b0876994a36d38b68909117bda6f4f77ba2b2063a4a1159ec7ef75f9583aed6f41dfbf5de24805650f139e5310f155a9ec338f054f3d50b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFDEF.tmp

Filesize
652B

MD5
fa142b3e98a72d3ac179aeb8ab3af7cc

SHA1
6832ff6254f181fbf32a94094048e20569cca753

SHA256
3fc6afca20cd39baee1e177d1c2c98e2a37b0feaacf54a10bca60be52a0264b4

SHA512
fd02d69e31c063beb813ff1f6c31ea2600c311c2eb28f4266d8b19dc3109d1abe56b400c88c98e5e26ee725c7a51a9195bcac30fb15e56bf4af1d21a33e521e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqpmguz8.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqpmguz8.cmdline

Filesize
309B

MD5
169f9e89836ac868294d25e7bf9c4ba5

SHA1
61f82197c01458eae606d35a2e75b6096ec07563

SHA256
ee08de46d77916f44b35445e39e51126fd9a78bda357c714b64f86556c0c846a

SHA512
e99adeb63eebe075ad7b316b27359dc48657c7dd01809e10f87391ca58ac5eebaa505a0569c1572860d5a3d4e7cc36794f15e674244156f93ebf11b4b3ebf817

Download Submit
memory/948-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/948-55-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmp

Filesize
10.1MB

Download
memory/948-56-0x000007FEF3330000-0x000007FEF3E8D000-memory.dmp

Filesize
11.4MB

Download
memory/948-57-0x0000000002270000-0x00000000022F0000-memory.dmp

Filesize
512KB

Download