8d728990d82730e687856f9d2cab5eb8a3c91945bb03d522ef34a697fe63a787

General

Target

keys.ps1
Size

2KB
MD5

5e3b955bdf29db57b0e61637efb4870d
SHA1

7c0af96506aec951fc5d8de8574286050b2abce4
SHA256

8d728990d82730e687856f9d2cab5eb8a3c91945bb03d522ef34a697fe63a787
SHA512

201a0ec3224e4a72491b397a57d44c8fbf3cbb20fd54c41ec0e5b0ee3d242c6c930df92342330e47a5b8403a1b3d18584b9e1d3511b8c7bbb2bb5de6e2268cb1

Score

1^/10

Malware Config

Signatures

Opens file in notepad (likely ransom note) 1 IoCs

pid	Process
1628	notepad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 524	2040	powershell.exe	29
PID 2040 wrote to memory of 524	2040	powershell.exe	29
PID 2040 wrote to memory of 524	2040	powershell.exe	29
PID 524 wrote to memory of 1168	524	csc.exe	30
PID 524 wrote to memory of 1168	524	csc.exe	30
PID 524 wrote to memory of 1168	524	csc.exe	30
PID 2040 wrote to memory of 1628	2040	powershell.exe	33
PID 2040 wrote to memory of 1628	2040	powershell.exe	33
PID 2040 wrote to memory of 1628	2040	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\keys.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ub7csvr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC14AA.tmp"
    3⤵
    PID:1168
- C:\Windows\system32\notepad.exe
  "C:\Windows\system32\notepad.exe" C:\Users\Administrator\Documents\lootkeys.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1628

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2ub7csvr.dll

Filesize
3KB

MD5
736c4125ee3fc781213954d2e1da2625

SHA1
0c3f662f69e7da6d8b5c2bbd45a18f7be68b570f

SHA256
04e265ba07850d036417399f03652b04e325b394bd22e86ebc07d7baa2545844

SHA512
48e62d9766a0f1ffa7907d0dc568af21f1ae18aac81455d2fb64b5ce8f52ecb93609122dfad65cfe819f9f60854005321b1161b966f5e47c9e132bcf555b7a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ub7csvr.pdb

Filesize
7KB

MD5
6edf0cd8b991523d1e6b0b3bc8f4f7c5

SHA1
24d1c576d79066820abde9aaeb8d4c6a82734cfe

SHA256
fa82c5a46a87622eb0dc94d9995e199079778044943948dd134962f3405df6e0

SHA512
fee535a2f7ddf36471216fd9522dee27bad1cb9211c8f55bb0461d2ec470848d217c95dc6dac2bfeffe8e474dce0dd6d4171f4b9fe85dc347d7f7603f09f9c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES14CA.tmp

Filesize
1KB

MD5
5af4af6973c21d4418278aa94a82336e

SHA1
84fc8d562f8b1bf369520b8ef27df265b7d9e2f2

SHA256
3ee519ddda97c7b82351624c36816b10611c6e6ca26216cd800a7bbee4190001

SHA512
6945fc540e3270938daf5eadb0633a3a601c6535f6fa6bc5e8de902513b94c616e093fd4f05867baab3492b7402720d90a7e5e2589ab1fb95df0247b01589704

Download Submit
C:\Users\Administrator\Documents\lootkeys.txt

Filesize
10B

MD5
6ca9200473d651ebc9efff77206f2eec

SHA1
b2615e92d932e691b4ba17764a2745b0cb66f997

SHA256
ecaa902d96a85a6e5920d6545632fc076c57a97ac46ce871accb35030da6cf24

SHA512
357537770b9aa0c9a08ffb07c6365711e69bad7eda43382c5ea0e0b64944afd9d5ae21088402cb8fca81d990c413cf961eb8f9f2bd99757c322b8c2ff5379c13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ub7csvr.0.cs

Filesize
675B

MD5
61a7afcfb915aa8b873e11a8494b0f2e

SHA1
893ce0a14d8cc37c7266425a5c05d358f0c2c7d3

SHA256
fdd65a6b830b7e3ab5d114f9f9aa5bdf4e47bbf0ed784389b6d6fd454c708470

SHA512
2c8d4dedc6ac8ce594ae06696fc1a23fb9ab4eee04168663ef24dc1092d29f3145c782e02e49f9e6562877ead1ec596873fb623679691b824a07db0c71e5c46d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ub7csvr.cmdline

Filesize
309B

MD5
380fac08864a4461c9edb29726cc49a0

SHA1
79e7078ead48636dfad4d9d655d85ebf35dbc30a

SHA256
c832a712a145386ae428e8a9c0dd342a3b83c962bf17b821a9f989bfe4f8458b

SHA512
4cb469e3e98d7f2210c2df0882e68fd5253da839618670b54974969f46cd25a492a2c04724ff7a094399aed6078888c5a8367f90d14de1933e0771b7bec6181c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC14AA.tmp

Filesize
652B

MD5
4b7046f42cb4f1ae8ad68b0b65ea501a

SHA1
47377aeb54eef45a0513b5ad444dcb8e2d95352e

SHA256
e08da950a3c55cb2006633abcd14fc8d6adb0f787c1c89b217071c2e57508bd4

SHA512
6f95de8e7ccf3e68a2e2866fb79ce8f33844456e5a48feee91fc75e4d68ba697d08d4203659147b2d3da97e2f15f43a845ccb752fea768aa59d633d7d0432911

Download Submit
memory/2040-62-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/2040-58-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2040-61-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/2040-76-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/2040-60-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/2040-80-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/2040-82-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/2040-81-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/2040-83-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/2040-59-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing