0afe02415b9523c9f840be11d9561d1c07b41ac1f7b803b7112608ae8db29950

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/03/2023, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cisco2.ps1
Size

2.2MB
MD5

7708f4d0a27fcb9a315e0e2b9fa24248
SHA1

498ac3d0ddf4b19f6f7d3dacf03c4e2fbf8f993b
SHA256

0afe02415b9523c9f840be11d9561d1c07b41ac1f7b803b7112608ae8db29950
SHA512

af6b285e63c9c3db98d35492ff03ec08196c859f508834fc39d6b76283447f493bc721dfa15a2ad777c6e8547ade639f9379ac1cefa54e226096fb0aa4956f54
SSDEEP

24576:rsxT2KAWU1N5BWAdTfrOqluXAxXgo0TEYKoDcF/mUCXy0wxG/uD3:whAlf5BHF/gfha/FFT

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1544	powershell.exe
1544	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 972	1544	powershell.exe	29
PID 1544 wrote to memory of 972	1544	powershell.exe	29
PID 1544 wrote to memory of 972	1544	powershell.exe	29
PID 972 wrote to memory of 1760	972	csc.exe	30
PID 972 wrote to memory of 1760	972	csc.exe	30
PID 972 wrote to memory of 1760	972	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cisco2.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sbxpkx4s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC149.tmp"
    3⤵
    PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES14A.tmp

Filesize
1KB

MD5
0e723a924f762a1fcb77d67fba4f5735

SHA1
549229b05b777b0dab3a51c06953de69b345551b

SHA256
7e71290872481dc94573b447ea363fdef5b72495f11e613a2a931ed8447ebafd

SHA512
3973c9f3e11a0b47557fdfc5cd3b8ebe504cc8765a4ce82330c1126d8ae95f2ab5366d851d8f01e98732c0ce31001d196b9d13118fab8f512935a8cfa8cb9e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbxpkx4s.dll

Filesize
3KB

MD5
0eeeee7c4e6df36dcd8f220c24baee41

SHA1
18e6536912503069aa9cf6999cee67161050f11b

SHA256
56675cedfb587456b8b820def23de3389cfb06db60a5f6815a01a80bbe0fdcf3

SHA512
cf4314557f2efa9ca1d416f99b4752d9e20ac4fd66a27bc5bb714e8438e29f1b3c06d3db9b306d30e2393219012c709f8c0a38b020e32b9cd0ecaec99124709e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbxpkx4s.pdb

Filesize
7KB

MD5
d51a06c5268836a23442603ece52c59e

SHA1
30a32a3d7a82f1b2f60f85a787c3c13200033d07

SHA256
40f6b323710308e2b9b1fa8a4fb6951a275bc84b73c74420337e0f89e0f137f6

SHA512
1e8c3821fdd57e999b8109dbaf97d2695f3808c288f63bb2332fa49b687d244d8ff26ac6ed528db925447acda7fc60e001dc794aed782778ee2dc1f190a1f65d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC149.tmp

Filesize
652B

MD5
b9e5920727e6b03178f9ae40a6317e29

SHA1
e384501d6fa5ca2d86eaec258bc4377cf752e2f7

SHA256
bb121c8a5d55e282e7f40b9be251ee89dad4472464c2475437db5bafad3a795e

SHA512
0f3cdb8a3b743c9c49d78d9aad4bb23a79f8fec6be6319ab73e9ec015d3feae8f7f8db0f7402f6b2781c5e1c0e8e61323665eea352e74633605f73906eb5c076

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sbxpkx4s.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sbxpkx4s.cmdline

Filesize
309B

MD5
0b117341bb111eadc7131b9d63a957c6

SHA1
427353823c363b96008aa95d54aa43c17565783b

SHA256
3840913052f2df63dd7757322657d702f8a910c0b56faf72f792bfc26855b217

SHA512
b8d95a9ddb16655300d92b619321dfcc75bba5aeccd154fb21f43001c5fcd81a8cf0b0963da9e4e665c88082c78e466e47f6618b17d3c086ff9b496f8c23176a

Download Submit
memory/1544-58-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1544-62-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1544-61-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1544-60-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1544-76-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/1544-59-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1544-79-0x000000000281B000-0x0000000002852000-memory.dmp

Filesize
220KB

Download