80d020c39f28074fc1e77e318da978be7d7c189c7a57c6e5d9bd178ec0bd8840

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keys.ps1
Size

2KB
MD5

9fa70ab5fa575384923f06520bb33cc9
SHA1

f90c1cc59fa27ca94550a658b7c8eb8a3ba7bcd0
SHA256

80d020c39f28074fc1e77e318da978be7d7c189c7a57c6e5d9bd178ec0bd8840
SHA512

b7a8b3d355c3612bef555e5e1d1b50e0450afd8507c879053bf036adef17b8ea09f8faef6d4db7c41deba181a0f3c24a86a58e383b3d19a6d67ad99ef7b68df4

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4920	powershell.exe
4920	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 896	4920	powershell.exe	86
PID 4920 wrote to memory of 896	4920	powershell.exe	86
PID 896 wrote to memory of 2320	896	csc.exe	87
PID 896 wrote to memory of 2320	896	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\keys.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1sg1tely\1sg1tely.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1D2.tmp" "c:\Users\Admin\AppData\Local\Temp\1sg1tely\CSC8184CA4986064C9E8E6DCF63864D4CC7.TMP"
    3⤵
    PID:2320

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1sg1tely\1sg1tely.dll

Filesize
3KB

MD5
a235f01e240db9433a40ed79705da190

SHA1
b607b623ca6f05176576f535b0bf21a00f37dd69

SHA256
7394a11937493ceaead9d8cef9fb6a06fc6f3aeae6fb7d23c4448fd68698e739

SHA512
b2d3f177471e1747fdfa2857537bf4ec6ac8ecb0a1fa6c8e15aeb2d1f7c5d7fa7ac781541be3e739dadde2d10af581a45e9304c5e25b5589e42d817a02b0a2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1D2.tmp

Filesize
1KB

MD5
576be804925241e4d3fca116cfade1f2

SHA1
6c910745b413fb801c739d3161711f9dcd2bd091

SHA256
179e7184adf47cd4f28afe0f6ab6b37d2e8b099614c500f899cad967d5549cf5

SHA512
0e07e981d254c7780961861197ac1218c3a69129f39f6a50158e867065f345d5f9091ea96c011d0457027055fef34722332e98e799cfec5df9bd374ca0080c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ax0dd4d0.qkj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1sg1tely\1sg1tely.0.cs

Filesize
675B

MD5
61a7afcfb915aa8b873e11a8494b0f2e

SHA1
893ce0a14d8cc37c7266425a5c05d358f0c2c7d3

SHA256
fdd65a6b830b7e3ab5d114f9f9aa5bdf4e47bbf0ed784389b6d6fd454c708470

SHA512
2c8d4dedc6ac8ce594ae06696fc1a23fb9ab4eee04168663ef24dc1092d29f3145c782e02e49f9e6562877ead1ec596873fb623679691b824a07db0c71e5c46d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1sg1tely\1sg1tely.cmdline

Filesize
369B

MD5
71bd01772f6fbe2178667f27cc7295ef

SHA1
dab364a03729677b6f123ef60109e192edec7c0a

SHA256
70e92a2fb29d23dfe4983488b822006c997c30a091a14a3d493526088852c429

SHA512
e6a1d4e355c73197a2cdcb333fe3154fd7009b8900a96470b0d572fd4b4d36c4a30b3750ee7549ec37cb1071b454da801638cec930541d19985844efa9b4abe3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1sg1tely\CSC8184CA4986064C9E8E6DCF63864D4CC7.TMP

Filesize
652B

MD5
63eb7dde7d510f82bfd7b794fb26bbfa

SHA1
dac2006b00d2ad85a82f7b31f37c8fcea7ec3854

SHA256
6e20089c770303cf6fc38377f8b91f0c7cc6b8486af2c160e8eb2927b41a12ae

SHA512
b4c65b425161a12cb56352b182cd5138ec6f01df5f1fe46bdced32d05ca230a147e61c0f1a9c1bb83e70cf36d35fede472e11d451e9c15b3e8e007d7cd82cf2b

Download Submit
memory/4920-145-0x000001D654930000-0x000001D654940000-memory.dmp

Filesize
64KB

Download
memory/4920-133-0x000001D6548D0000-0x000001D6548F2000-memory.dmp

Filesize
136KB

Download
memory/4920-144-0x000001D654930000-0x000001D654940000-memory.dmp

Filesize
64KB

Download
memory/4920-143-0x000001D654930000-0x000001D654940000-memory.dmp

Filesize
64KB

Download
memory/4920-159-0x000001D654930000-0x000001D654940000-memory.dmp

Filesize
64KB

Download
memory/4920-160-0x000001D654930000-0x000001D654940000-memory.dmp

Filesize
64KB

Download
memory/4920-161-0x000001D654930000-0x000001D654940000-memory.dmp

Filesize
64KB

Download