b6d05d8f7f1f946806cd70f18f8b6af1b033900cfaa4ab7b7361b19696be9259

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.ps1
Size

2.2MB
MD5

fcdf0ba1ce0384e1a55a9191d2761da0
SHA1

4454a27ff9f40d54231820f2b3352f55556c0533
SHA256

b6d05d8f7f1f946806cd70f18f8b6af1b033900cfaa4ab7b7361b19696be9259
SHA512

9c850cbb4e03715d392f01ae6c7916c4479e01e812040ba1ae5033a36bbfeea073c075c1eb05febc9a16d8d4c98b0e9f32d3c883739ad0bdb163945fe280fa11
SSDEEP

24576:4q2pALU9NJAWAdsCR7RIuXAxXgP0WEY/2DwF/mxUrF0ExGyP:SA4nJAlkfg9iG/1xb

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1736	powershell.exe
1736	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 472	1736	powershell.exe	28
PID 1736 wrote to memory of 472	1736	powershell.exe	28
PID 1736 wrote to memory of 472	1736	powershell.exe	28
PID 472 wrote to memory of 572	472	csc.exe	29
PID 472 wrote to memory of 572	472	csc.exe	29
PID 472 wrote to memory of 572	472	csc.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\documents.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vnsyri8f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES254E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC254D.tmp"
    3⤵
    PID:572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES254E.tmp

Filesize
1KB

MD5
ae0209671cce14ab013d9a1711eb9284

SHA1
f8e2fc51d36564826186af1f379eb9601043f880

SHA256
7a428c3ce12434f9d0d2914f424e2eb6e3ac50b8880297efe69fc262919a1487

SHA512
6e15c13e33dd89cc725e921c2cc04830fb2e05dc2ebd7e130ff413edc65f8bb18d3798da9b97ba2873baf8dca2fb9175780e107687a5f3f142c4069fb3517b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnsyri8f.dll

Filesize
3KB

MD5
020d668748b4b867500a6c32923d00ea

SHA1
5eefd26a966b1f351683fe3d5293affbad155e9c

SHA256
3ede9c972086598887fedaa1716b61b51d4378ad688a5566c3b3dca1f59bc33a

SHA512
ba9a86a6cc755d785627bb57b84d9747f92670b2a65a37609f05b35162e9d2db37ed8f067f71c4e72eca963f54964bf99577f65b5f400301b3bb13c58b869463

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnsyri8f.pdb

Filesize
7KB

MD5
c9544a9f5da952f41a14f38b08cde31b

SHA1
9895a5af9a391146ef128ce0fa47e22ce38e41f1

SHA256
1e465e364e259d4109ac89348c4f0e528509a91ac33fdd98b1c0ac2d620350ca

SHA512
d65effee2afedba1038a7d1f226d00399d2ed06efc032d427f340b43d7900be223871e3a5a51ad9a439b9bbcd067a2f06818005e4a0771ba90bf07cabb7b8415

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC254D.tmp

Filesize
652B

MD5
921c363de3678f3c3ae201f5c09c3e8d

SHA1
7bfc5ab7e4492321ff7091bd1e406088743699f5

SHA256
3cedac2e7f16bfd5982627214af987056b82fbb01d8aba7ec6a14261e75c0dc8

SHA512
3032db4b44517f23d4309ae389053fc13b54715c479044ca50f2ef6a9b440773d0d3e42f43a53c04f6311da95c9b9733ae9adebd6185b260e80f168caa4248c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vnsyri8f.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vnsyri8f.cmdline

Filesize
309B

MD5
70311252e0edb9f2068fff4878d4070a

SHA1
90e980edaa994b2d0571bf787d51b997af36b7a0

SHA256
15ea64a2f93dceeb7e626050843d53d89cc90426ffa951b5a5cbb97144ac4154

SHA512
6c0a85eb04c59e3fadd3dac17517b53bed1a166104c8f9bfb2b1d5f8ec9792036738157ddf6599b61138b1010d1cc9f76a5f056318a453b4641b76b824d2f057

Download Submit
memory/1736-58-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/1736-62-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1736-61-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1736-60-0x00000000024F0000-0x0000000002570000-memory.dmp

Filesize
512KB

Download
memory/1736-76-0x000000001B0D0000-0x000000001B0D8000-memory.dmp

Filesize
32KB

Download
memory/1736-59-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/1736-79-0x00000000024FB000-0x0000000002532000-memory.dmp

Filesize
220KB

Download