7d5337ef04ddabac61a5f3dae4a9fdf17c6d0b64f1a1b5ae0b07b6bbc0bcbd9e

Analysis

max time kernel
29s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19bdf3110168f2ac48c599fac9e03e23.ps1
Size

2.2MB
MD5

19bdf3110168f2ac48c599fac9e03e23
SHA1

c8ab417929970ae032cf6fede8743f829847d75f
SHA256

7d5337ef04ddabac61a5f3dae4a9fdf17c6d0b64f1a1b5ae0b07b6bbc0bcbd9e
SHA512

dbfd9d9c4a9c94024cf53a30c5041c1973e845100c214a04930d38cc895f6e81dda096a695140cb23a888f648334ba4d26a9abd5346c966b3df25c5828956be0
SSDEEP

24576:itC5Ja7ybVCbyfQCQfXk/SGv8raPHRJ4LtbgnuSW0v7wmlQccDjT96KjIM:iZQQCgcSM433DDwO

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1264	powershell.exe
1264	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 376	1264	powershell.exe	28
PID 1264 wrote to memory of 376	1264	powershell.exe	28
PID 1264 wrote to memory of 376	1264	powershell.exe	28
PID 376 wrote to memory of 548	376	csc.exe	29
PID 376 wrote to memory of 548	376	csc.exe	29
PID 376 wrote to memory of 548	376	csc.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\19bdf3110168f2ac48c599fac9e03e23.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bgpqnr__.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23E7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC23E6.tmp"
    3⤵
    PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES23E7.tmp

Filesize
1KB

MD5
3550024b7dde5dff63a5715d69942b7c

SHA1
bf82e97e8e1a59fa14a71f2d3ce80a9f7f14e6a6

SHA256
c8b7d35a2f36ce261877e6b24fad58b706b5f4201eddb693c806604b267d8b15

SHA512
ba9c325439b36bd2c46f114a6dfc2df8564a36455c9a0e4a56c66ee3507b9306835aeb0ef812baff95f0d8963631fa5ec36c8b24cff4ee2680b2fd11801f3801

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgpqnr__.dll

Filesize
3KB

MD5
43b9a85cdf91525860c6b9ff17e8b51a

SHA1
a0e70d092f40dd267a305342a19eb4a963da59f9

SHA256
635876d3dc74968ca977894a294e8a62b44f69f3e35685f89a87f88100c6ce88

SHA512
ea43cac37b72dcc5c74a83be4e030144ee445c47d0fd2c505523bddceaaf90eb39c21157f749b57a3756c475fd8fa5ca7fd10520af9a3a7ab779b77d76a101a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgpqnr__.pdb

Filesize
7KB

MD5
423ebef3c61753570a60c56e628c44cb

SHA1
cd034ab797fc8d7dccd481cec9ae9ec246084439

SHA256
d0bd389d37858b576fce76dec8ef36654951249daa6b379c3dd8355cd2d2843b

SHA512
e82f3a6195318abdb190ba6299b1c9b4cbda716c64f79a306420b40f331f9dde86d4a7a52ab38bf786eff08556c59d9083ccdd341fe35b2539da6033792fb484

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC23E6.tmp

Filesize
652B

MD5
132adc5e3462c83d13cab81a493cd70c

SHA1
a1b1cbaf4fef5f438065414a9792ffb960d73c0d

SHA256
1d5cd14014cd02c74b49c78c205cf677f81fee24d19740096df08b70acfe2df6

SHA512
180c822f98af1dba032d90d19ffd275c95a2fbc3baacce72d86878b1945dfd3f8403bdef193e495d310ba1d8031b3cf294a503f00038f656b45f2d53e0a17139

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bgpqnr__.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bgpqnr__.cmdline

Filesize
309B

MD5
87b791a0c42261c5e577b9160ffb8945

SHA1
bf6a0c32ebe6a1c0b9bf3395b0df507045eb2e17

SHA256
3a17efb1eff1685568b1e0ac9312f6f6326f0be4a94f6e022cb183843c6fe89e

SHA512
f83469e7516fdd367c5c85738366ec0eeb20e926a3ec1d35a042dd60ec681a11d8ab322b56cc7c42f87007deffcf373da71186cfcdfc934c93f5d65f7ee0245a

Download Submit
memory/1264-58-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1264-59-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/1264-73-0x0000000002580000-0x0000000002588000-memory.dmp

Filesize
32KB

Download
memory/1264-76-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1264-77-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1264-78-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download