5ed52adc7ba7bdbf9c02b91ac16578e482599f4dff489f28b714451e3d8ce644

Analysis

max time kernel
115s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/10/2022, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iwbr.ps1
Size

15KB
MD5

a9a4b819279f4a93856fa5fc3fbf19f5
SHA1

1d2f94b160cbaed8ac0dd0eada5e2f38ec38e0d4
SHA256

5ed52adc7ba7bdbf9c02b91ac16578e482599f4dff489f28b714451e3d8ce644
SHA512

1656926712a63f9eadb4a98837341b5110a5062e7116a72d0406f14a4942a19ceb0eb87a279fcacac1cae24521fc177f67ef6ec6b33053185411ff91af67d189
SSDEEP

384:FnjjLZk7YUqbULvpZ/P8kH2qEy0rPard62F:JJ+N/lEy066M

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1508	powershell.exe
1508	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1780	1508	powershell.exe	27
PID 1508 wrote to memory of 1780	1508	powershell.exe	27
PID 1508 wrote to memory of 1780	1508	powershell.exe	27
PID 1780 wrote to memory of 768	1780	csc.exe	28
PID 1780 wrote to memory of 768	1780	csc.exe	28
PID 1780 wrote to memory of 768	1780	csc.exe	28

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\iwbr.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\suaft4os.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BC6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7BB6.tmp"
    3⤵
    PID:768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7BC6.tmp

Filesize
1KB

MD5
0caf33cc2f575b3847bfff746637eef6

SHA1
2428e9007c9895d2584de9dfc8885e71a795ebb4

SHA256
92d096ec306914efb580c10c8beed6a056d72c7851ec574d0fead2cce3c5703d

SHA512
d5f243873c6c792dd8bb0fe36be2530d44f1b7bfaf939cce6719e898a2b865e6d6b816d3cb42487c581eddb3d4b7ccb3f40e1b34cbd948dd3db7f4dd4bf5a0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\suaft4os.dll

Filesize
3KB

MD5
2304192cfd01af84dd92f6f8f1b8ac8b

SHA1
3c946be13ecd8ea5707027a4e5c399897a605679

SHA256
670201982dd09f2fd0574b2def3b0571071cee3ec69fad774ee590d4e003b303

SHA512
8ef2915d1810cd039045ab8efe67871f400a70f29eaf0fbe1694676e084e6f0a586958be97d4531eb1cc65471e890a4a8945268dc8fe08c05e16bb0a95652f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\suaft4os.pdb

Filesize
7KB

MD5
a670b7d459c6cd4ef2019d6918f9af3b

SHA1
5742adfd7d7f14d38d2b1555fbc58d7af623f9ba

SHA256
1a17ad9fe72383d4a8df9f3205a447a3d8451b9e3a08e425c2a70d778da598eb

SHA512
76f3290b259bc375009a227a98d02d5cc46d7dd9ffa5fde3cdb1e199baa82cd63e3b5c7c4491b4b0f42b97d4cd7e26c21bc17a45e430a9b7c1d4290bd69d39cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7BB6.tmp

Filesize
652B

MD5
f3d720a53c36748e645fd295675d207c

SHA1
fa2c5e659ccb5c126ad5368829eb5d6cb42ee54a

SHA256
9f55bdbc470ef7c34f653469055b86cdba0c4ac9acce7c55aca93605f185ece1

SHA512
93774deb7810017e40f8e3bfee1cc404b411a3fcfc3272415adf7a02da871d737b0a06f445eb014241024d08aa585e5eaad00d343726dc6fa1d0d039aacd4a19

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\suaft4os.0.cs

Filesize
203B

MD5
171a88ab4fad87acfd2e5032eb0c6113

SHA1
754de0e7656c558d335710fc41cbf196d39c1a19

SHA256
5473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6

SHA512
87ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\suaft4os.cmdline

Filesize
309B

MD5
5792b211cc400be8a55826c59715304d

SHA1
33a3da03d019582e5b7375c053f82de5a7c7b567

SHA256
55e7c54ba87f59ff40ca28951dcaa126a257372d63d7fae17e50c9f565e7336d

SHA512
5e4f0f72d5c78d0cd71b16225dfb5cb2001410b6e0e8da8f53ff3a1d8266bbcb8b7f1a2920021cc1f42531d45989e1ca6c202f1191c23f7edbeac3f73aff7560

Download Submit
memory/1508-54-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1508-61-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download
memory/1508-57-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/1508-56-0x000007FEF28B0000-0x000007FEF340D000-memory.dmp

Filesize
11.4MB

Download
memory/1508-55-0x000007FEF3410000-0x000007FEF3E33000-memory.dmp

Filesize
10.1MB

Download
memory/1508-67-0x0000000002634000-0x0000000002637000-memory.dmp

Filesize
12KB

Download
memory/1508-68-0x000000000263B000-0x000000000265A000-memory.dmp

Filesize
124KB

Download