8d728990d82730e687856f9d2cab5eb8a3c91945bb03d522ef34a697fe63a787

Analysis

max time kernel
76s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2023, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keys.ps1
Size

2KB
MD5

5e3b955bdf29db57b0e61637efb4870d
SHA1

7c0af96506aec951fc5d8de8574286050b2abce4
SHA256

8d728990d82730e687856f9d2cab5eb8a3c91945bb03d522ef34a697fe63a787
SHA512

201a0ec3224e4a72491b397a57d44c8fbf3cbb20fd54c41ec0e5b0ee3d242c6c930df92342330e47a5b8403a1b3d18584b9e1d3511b8c7bbb2bb5de6e2268cb1

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4300	powershell.exe
4300	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 3616	4300	powershell.exe	85
PID 4300 wrote to memory of 3616	4300	powershell.exe	85
PID 3616 wrote to memory of 456	3616	csc.exe	86
PID 3616 wrote to memory of 456	3616	csc.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\keys.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2t0ux4oo\2t0ux4oo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6873.tmp" "c:\Users\Admin\AppData\Local\Temp\2t0ux4oo\CSCE783233D2BD6497EA3A19443F27D75D0.TMP"
    3⤵
    PID:456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2t0ux4oo\2t0ux4oo.dll

Filesize
3KB

MD5
2423004a229a3a223caaca693511e624

SHA1
137acc03e33b42d2c38fc055c9e5153d0d35a72d

SHA256
593c999c8ff896bf0c1d78f84e019511d3919844e97ff773b430f81e966ed2f8

SHA512
bef07e5cab8831544db0ea4797192a2d8fe1a92747e85ab886be9018ef5ed465eb0f528dc915bc7f51f174da3794cfdaec6194268c440b642d3506d02ce1eec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6873.tmp

Filesize
1KB

MD5
82adfe5b7ef5f07351a1e8360bb03d1f

SHA1
6c17fbfbb3496daf8036cdd398215b0a14289aaa

SHA256
4a5fabc5f40859a5d150b5a28494179f2aa6e422d5d448dba1930a4b6a710b2e

SHA512
279526e89171e1552ea4ef1acefc34691474141292ae88c7f48f28a560616781b01446761d847e648fd6514857dc7c66e4208f7365360c2c526b0065c35e2fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqwpkozq.0zd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2t0ux4oo\2t0ux4oo.0.cs

Filesize
675B

MD5
61a7afcfb915aa8b873e11a8494b0f2e

SHA1
893ce0a14d8cc37c7266425a5c05d358f0c2c7d3

SHA256
fdd65a6b830b7e3ab5d114f9f9aa5bdf4e47bbf0ed784389b6d6fd454c708470

SHA512
2c8d4dedc6ac8ce594ae06696fc1a23fb9ab4eee04168663ef24dc1092d29f3145c782e02e49f9e6562877ead1ec596873fb623679691b824a07db0c71e5c46d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2t0ux4oo\2t0ux4oo.cmdline

Filesize
369B

MD5
3ef5285c836a9fd40566796ae1244580

SHA1
469b37d51965dd21419e9a03d2ee8b1bcfa3c767

SHA256
40055160406f0792eaafa692799d71b734077b54ea73d730530079c5d7e27dee

SHA512
910b84ca005e211d1c4b81f2a56ff52dfb7727e91fbdf64bb8fa497489e4428a1a84e536b4fbc00362cba79b34cb874784fbd07b7c48755831cb88015ba7e317

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2t0ux4oo\CSCE783233D2BD6497EA3A19443F27D75D0.TMP

Filesize
652B

MD5
e61f21907358cbf402f664ba3500a9ad

SHA1
2809d754eb802907595f74f486faa488cd419b9f

SHA256
7672181e2fe97aa0c72adad1ede5fcbed2105b706f3352439a45a6a4460de21a

SHA512
e16889955818b9e0858749aaf3f50c892611f39c02b939af85393e5f014b1f988d24d40f34e3178ac236cf9a581aa53a52405dadffea6ef003d5801a44e40dc9

Download Submit
memory/4300-144-0x00000232B7AF0000-0x00000232B7B12000-memory.dmp

Filesize
136KB

Download
memory/4300-133-0x00000232B7B50000-0x00000232B7B60000-memory.dmp

Filesize
64KB

Download
memory/4300-134-0x00000232B7B50000-0x00000232B7B60000-memory.dmp

Filesize
64KB

Download
memory/4300-158-0x00000232B7B50000-0x00000232B7B60000-memory.dmp

Filesize
64KB

Download
memory/4300-159-0x00000232B7B50000-0x00000232B7B60000-memory.dmp

Filesize
64KB

Download
memory/4300-160-0x00000232B7B50000-0x00000232B7B60000-memory.dmp

Filesize
64KB

Download
memory/4300-161-0x00000232B7B50000-0x00000232B7B60000-memory.dmp

Filesize
64KB

Download