7d5337ef04ddabac61a5f3dae4a9fdf17c6d0b64f1a1b5ae0b07b6bbc0bcbd9e

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

req.ps1
Size

2.2MB
MD5

19bdf3110168f2ac48c599fac9e03e23
SHA1

c8ab417929970ae032cf6fede8743f829847d75f
SHA256

7d5337ef04ddabac61a5f3dae4a9fdf17c6d0b64f1a1b5ae0b07b6bbc0bcbd9e
SHA512

dbfd9d9c4a9c94024cf53a30c5041c1973e845100c214a04930d38cc895f6e81dda096a695140cb23a888f648334ba4d26a9abd5346c966b3df25c5828956be0
SSDEEP

24576:itC5Ja7ybVCbyfQCQfXk/SGv8raPHRJ4LtbgnuSW0v7wmlQccDjT96KjIM:iZQQCgcSM433DDwO

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	powershell.exe
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1932	1972	powershell.exe	29
PID 1972 wrote to memory of 1932	1972	powershell.exe	29
PID 1972 wrote to memory of 1932	1972	powershell.exe	29
PID 1932 wrote to memory of 1456	1932	csc.exe	30
PID 1932 wrote to memory of 1456	1932	csc.exe	30
PID 1932 wrote to memory of 1456	1932	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\req.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hapn7htc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A85.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1A84.tmp"
    3⤵
    PID:1456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1A85.tmp

Filesize
1KB

MD5
7158b9b6e38b287e3424ccffa62dd51f

SHA1
fcab3ceec1fea3c37cebc63e833bf9f43b1c2784

SHA256
aa7c3f08e849e452e8f1b9ebfb5b0dbb19751dbb54e83f867fdd7cc5aee523b8

SHA512
ba64c48e69bbdef276adbc0b1b59f5ad16d5b1172adb856ff792436bb3d2fbaadb6d1283cbe0cdcc844d61dc69dc73e006f7a40499e77ac9901213d356712b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\hapn7htc.dll

Filesize
3KB

MD5
541f22eed7e519d077d357060b248a60

SHA1
9d755b6586c5b01a0ba758234b5ce705c1c8c81f

SHA256
18cc673b0c89f87b5acfd3d135766dd0685e8c518a91e04d51601877c5069c55

SHA512
f21d2f48bf83c9a820ea877d68f556f7f22313cd153a9d7da3cb39b7c8918cdc060112234a7b2f2988f407d33149f1027d19733f9f1f9fb8a95a7ac136a60d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\hapn7htc.pdb

Filesize
7KB

MD5
c387fee8e27d4693b7abdf1de9303d93

SHA1
32e7f0286c60ed3dc6588d76d4f5a208ef164e16

SHA256
8ed49f023c2e0de256c22ea410d3169314ad89ba680925812a09b8ce17bfb309

SHA512
a8c5582a72ad74782f77a150975526fb8288e5bf8e6c4f36cdc8c465f1d5caeaccabf7478ffc6b4f58a0a62cf8ab134450ab39c534b79a3b72ac1556b8e8bda5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1A84.tmp

Filesize
652B

MD5
c45269ded74c7fdadf0cce4d2f49b88d

SHA1
6dddc1000d4a601ca0b847ab2a57352fcdc118b4

SHA256
9570d0a9ec61f17dbf5b6f7614c06c167333e8f1018e31bab5d2b87ae0f08437

SHA512
e4aee14c5e69979c25a877cfa6d3eb086221bf405b4115a3cf3e4882f40d30c13eeeec30da399d1e63f7be785a35cf00c0ff4d267dd938df4a32680bfa5f3809

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hapn7htc.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hapn7htc.cmdline

Filesize
309B

MD5
c5276d3e862af9216afc06e7f5c93f65

SHA1
71884403d1caf9444c1c3b2ed1f27a1dba553bc3

SHA256
11ac20cd60fee682ea3ec07a3252f64cbfdb21ed63ccccb157fe740dd725da05

SHA512
27135797b18978c12be21c4e30ffcf681ec7f39702ecc3954dd14ace84ff208e6e8c837e9e97b00d194f66e905db2f5a4a569e3ce580b6f30080ba5f283d035c

Download Submit
memory/1972-58-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1972-62-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/1972-61-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/1972-60-0x00000000023A0000-0x0000000002420000-memory.dmp

Filesize
512KB

Download
memory/1972-76-0x000000001B210000-0x000000001B218000-memory.dmp

Filesize
32KB

Download
memory/1972-59-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1972-79-0x00000000023AB000-0x00000000023E2000-memory.dmp

Filesize
220KB

Download