0ba8f658d5e820155f0cd63d4803843a55a8298f23d4e5c5a8a00a72f4b99aae

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

porc.ps1
Size

2.2MB
MD5

bcb9a789e65a2cae71bd1c3d0cb46f39
SHA1

a8160d88ffb19f038709478d8ae44d06f59803d3
SHA256

0ba8f658d5e820155f0cd63d4803843a55a8298f23d4e5c5a8a00a72f4b99aae
SHA512

cf09c45a41432c7dccb31d0a9861bde7a646a07f6017e2067093da828277aa7ba5ecea1dcd21ece75ba0cd0a9b974e8e94acfb0c0ce68615ddccaeb00f04d1ce
SSDEEP

24576:UFva7yGVSb9fQOF+Xx/RGv8FKPtRK4stbfnuV00t71my5HsDjT6y7i9n:PKQOs5Rr4CAuDP7O

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1148	powershell.exe
1148	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 272	1148	powershell.exe	29
PID 1148 wrote to memory of 272	1148	powershell.exe	29
PID 1148 wrote to memory of 272	1148	powershell.exe	29
PID 272 wrote to memory of 468	272	csc.exe	30
PID 272 wrote to memory of 468	272	csc.exe	30
PID 272 wrote to memory of 468	272	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\porc.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hel5wvak.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES194D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC194C.tmp"
    3⤵
    PID:468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES194D.tmp

Filesize
1KB

MD5
80cb66be31d27b566b08d2afea9e10d6

SHA1
54993d0117e11a6b5a7493a9e6f6f7179a8dd572

SHA256
2c006adcb7b1aee12ed055e362740e9356580b60333ab41df8872cd69bc97b22

SHA512
56d36a0b066176bf1c6bfa3517af85fbb70401a781e32bae93e0a936e9a6f6ac3b0a56e16260569b2846dea7aadf7f874a7789f769a10ce4f10a21bf3b907e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hel5wvak.dll

Filesize
3KB

MD5
21c97068a18d605ec44b2d503b40ac0c

SHA1
3a88c1bbf9fae91d95c687a01ccf12df15ec9d6d

SHA256
001679d3a7fc4cc7cb4b5273d811f14e9c11986abbeded8284f9bdc91716aa3b

SHA512
8a99f8f04c29fcb62a7a85a40b226cf343b5e417a3ca63f78fac5734dc80a2bcbec3042b423f40757e9724e385421b6decd6d792a32eebe9a9a50b80aad82a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hel5wvak.pdb

Filesize
7KB

MD5
43113f1ff50f69598bd4bdd670d3835b

SHA1
a0ffb30d696afa117717ba8a5847b81a956dbc68

SHA256
0878aa2a6ecc0d0d2d1c8fa1cd814aea487291402c8b86b7d8db1f8f5510d097

SHA512
a527f7e0f13be4c6b1eec437615fc520f3760fed2c13723e36200203b4bf2d4d2805cc8a47365f307b935f9b954d7e6ddef1d96fa57bca1e823b25d3d96dc5bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC194C.tmp

Filesize
652B

MD5
073e816cae2a57ac994a4280b1b9035a

SHA1
743efda333f60b793ac17fe666d09b3bd96f508f

SHA256
a07c6c8219194738aa903dac05be708a1d9a12ff8c81422179097642a8c75f99

SHA512
27c73f4f461d2d6a9c9178b2e7f3e4e99d5c87adc274bc658d9dc68fdfc6e0270f5b9dc55475c526dd7b22a722c5e0400f992009603a7788480d75bfb8168a3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hel5wvak.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hel5wvak.cmdline

Filesize
309B

MD5
b2844e5f777d9f1333cefb182b5e747a

SHA1
d47a26d56f293d4fbbc16ac131cd9452ecd9932e

SHA256
3964ae78d4261266b69adb4d0089a0a66ab8e6d9c1180804d7ed49c632806261

SHA512
5f9c7d052f5a63d30bba99c19c079fd3591868512544b21ddb8d64992b47b9bfb35f6863d9d34b0989aa330e31bb64dc5e93c2431cda1487f09c82b33e866a9f

Download Submit
memory/1148-58-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/1148-63-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1148-62-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1148-61-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1148-60-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1148-77-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/1148-59-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download