4b7bd61d8985e4bda823bed25986c52da45cf519b04661980db35060ae5ca3b1

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-02-2023 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.ps1
Size

1.1MB
MD5

b4a6a5b0288f7b644091dd82b537999f
SHA1

c4764431b56e9c59b13496e4ab11209633604128
SHA256

4b7bd61d8985e4bda823bed25986c52da45cf519b04661980db35060ae5ca3b1
SHA512

20673f83f887b96ca0701b6673d146b0c486f60a9b5c56b0a7de2a55f4a19468350ca86eb35fb0bd5bc4b599757fcf2fa2c04730a8b4a21ae6acb3bfa9c4cb1a
SSDEEP

24576:BTwzO2B32tGRDSrH+KxAvjncxPteQcE8Z5pa2Oz9WabsKqRasT/TyMNY:DbbKgPIQSrPOxhsKszWgY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2032	powershell.exe
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 332	2032	powershell.exe	28
PID 2032 wrote to memory of 332	2032	powershell.exe	28
PID 2032 wrote to memory of 332	2032	powershell.exe	28
PID 332 wrote to memory of 1664	332	csc.exe	29
PID 332 wrote to memory of 1664	332	csc.exe	29
PID 332 wrote to memory of 1664	332	csc.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\documents.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wbe4enfz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4230.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC422F.tmp"
    3⤵
    PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4230.tmp

Filesize
1KB

MD5
8ca59275ab213e98060a34ee78f8251b

SHA1
9647f23e5fcbe0b2a19915585425c7beb8856dce

SHA256
24b3901ca27de3cd20d1ddc764259eb8e31f871785d35de65927e8496475126e

SHA512
25f0f88ec3a4d9db0b81b48af9e7852119d7f901ef817960d9fd0ce5fcd555ae6aa861d0d6fc1501bfbcb95d83c95d22c666642f673bab0dbf242abbc9477bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbe4enfz.dll

Filesize
3KB

MD5
3cc622c7027e6ec6166dd1dba7cca8dd

SHA1
658ff698b5c009e695438f94477d39c88bbde160

SHA256
98d44f86efc2e608808c3f15e0fe67b15c6e40d10acf46ce5956d2cb4f58e9b2

SHA512
2a1f910d999ada830a3b9b942efe54fa8d83fead6a24c9aa90d0a4ac598bccf1bd769cfb667cd8d0ce12311f1462b6dd78c7b38f46dd341f6188ac9e063a0fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbe4enfz.pdb

Filesize
7KB

MD5
17c5d3eb762385bcd971c228830fb78e

SHA1
2e4011b01e5885897fce3ee0545a5459f6d07dc3

SHA256
fb605e16d8e9e003b49ced7b63ac39c733d8d6bab928e001d0c5b21a58e91307

SHA512
0382e3bbb5656d6869eaec9cd82faaf1fbe2294467735204f61c49a4e78a44c0d976bf92cb49108d3b93edb29086d88b994e9b89db065e4fcbabf9e49787c8ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC422F.tmp

Filesize
652B

MD5
9b97d3105da321d9e5f60d1828e96d6c

SHA1
e13e357b0f8d4094507042b9e42ed712562585b2

SHA256
700844893b04030be9c9e4b9908ee335841f70f6b39547cc3186debd70160503

SHA512
0ae5e5516f561e8cefc1d22bb578f573ad08459d82a61504c9005bfc4505c34536bd022f1e57d00a6daacbfa8ccf370de2c9256ed1c04537262437bc0479f0bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbe4enfz.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbe4enfz.cmdline

Filesize
309B

MD5
a52914e5e73a9471857faf26f159149f

SHA1
d579d4de5f9641f3c5cfbd1409cc466285906417

SHA256
5a74af5a61b2da1c1297ddbb98d73998c90635a6cd8646d634ccf43f313b9c5f

SHA512
d9aec6cee8fdcf12b5c0539b46af33e70c6b3261e3b4a41cb1d5e79e4894df4bae6ad9955af0bcba9106ec550fa99bd9aeaf2012f02e228f000ca5c96815ecf5

Download Submit
memory/2032-58-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2032-73-0x0000000002A30000-0x0000000002A38000-memory.dmp

Filesize
32KB

Download
memory/2032-59-0x00000000025E0000-0x00000000025E8000-memory.dmp

Filesize
32KB

Download
memory/2032-76-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2032-77-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2032-78-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2032-79-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download