28d4ca9b8bbbad765a193c9df2a8841352a87c2f26b28a94e763709906ce073b

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-03-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

color.ps1
Size

2.2MB
MD5

742c528a179fdf26356aa239ce901c56
SHA1

d5fbd80a687813b214ad6dc7bc950ccf0f0a46f9
SHA256

28d4ca9b8bbbad765a193c9df2a8841352a87c2f26b28a94e763709906ce073b
SHA512

2c7e40258dfa27931073654c4749049b81ac160f7b3b4ac7730a85249b0ebe82b617cb2247bfc31a5597ab87f399e0d984e1e34fe7812d195a92afe5c866eadd
SSDEEP

24576:Ogpa7y/VUbkfQB0VXG/2Gv8ECPnRq4WtbYnuke0X7fmJIkrDjT8tb2i30mUO:G0QBee2Q4kw4DWbr3R

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1720 powershell.exe
1720 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1720 powershell.exe

pid	process
1720	powershell.exe
1720	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1720	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1720 wrote to memory of 432	1720	powershell.exe	csc.exe
PID 1720 wrote to memory of 432	1720	powershell.exe	csc.exe
PID 1720 wrote to memory of 432	1720	powershell.exe	csc.exe
PID 432 wrote to memory of 1864	432	csc.exe	cvtres.exe
PID 432 wrote to memory of 1864	432	csc.exe	cvtres.exe
PID 432 wrote to memory of 1864	432	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\color.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irmrbssd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES437.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC426.tmp"
    3⤵
    PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES437.tmp

Filesize
1KB

MD5
775f58731c953b2a48b88aca1c76bb69

SHA1
8543e13bc2af7241ad960125420364e8b89fddd4

SHA256
21e97056b6ebc78051e7a9f7a2cba26dc1aea651f3e4acbc272464f5244d084d

SHA512
163bc3e7e82675d2d3fedb099743d2fad2eed478534a74b2972798434052132cbb8f139101a269874c6f43d44ba0eaadad155835ad9669cd8a3c60f0c0a561d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\irmrbssd.dll

Filesize
3KB

MD5
04b5000f1edf8b4af710eb42d46d40ef

SHA1
292775d6744fdbe0312f1540e0b2eef720c90c69

SHA256
b23e1d4f3b813ca4504a44b7e5c2519b2a1a6a46473c7144214bfb75cc29282c

SHA512
90ca8526427a25ac1c06939a4041b78a8898b5d0d838711362808f8e0f460f53502b23d065ed3238d55d70817171ab66efb22621e123a3da2ea60d3e0289549d

Download Submit
C:\Users\Admin\AppData\Local\Temp\irmrbssd.pdb

Filesize
7KB

MD5
967c4f7a34491fc05f64213cd50271d5

SHA1
8ae83f34937aa582dd7d5ed10e101d7ce627f487

SHA256
552b182dfc131c5ee0c9bbaf510851507a24608871b3240029b1858aea749d54

SHA512
8433c4c950aeeb3ae3c8394cd1974eede6cf0c8a9062e61d3d896e17409f46a538009ffffca4c7ccd8cff7010e5d8145ff2bf04beb409b846579d5b78f72f988

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC426.tmp

Filesize
652B

MD5
d77fedc1b261db7df27d903cce261e93

SHA1
50dd51df181b1cc9604d3f9bf2162798abb7cec8

SHA256
927af3b391e5b8bb200662042da065f045ec8be15fb9a7077d546a76da62952d

SHA512
51d143be76e396a33b5dbea5141e4f39b1158a620622a237b1e9ef63ffa91454ed507fb8c82f91f73451a811236b1b34c173866cc549fff0d7bb4dd2a19b5d0f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\irmrbssd.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\irmrbssd.cmdline

Filesize
309B

MD5
2831984e9a32a77c3ee02df70bef803d

SHA1
a80eb189e436a64a05848618cd70009c8963ecf9

SHA256
2adb89a5811e11cdacb4a67edd951e01211bd31c4f2d37b2f1d61cb3e26fe687

SHA512
8dfebbbd3436ff94ea7e2c9e07248d38880d1751a2977282c0fa7293128cbae7d0e821301d957496b332e1fd48efbb8b452175539b1971d21f0a42ae8ad3b83e

Download Submit
memory/1720-58-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1720-62-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1720-61-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1720-60-0x0000000002770000-0x00000000027F0000-memory.dmp

Filesize
512KB

Download
memory/1720-76-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/1720-59-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1720-79-0x000000000277B000-0x00000000027B2000-memory.dmp

Filesize
220KB

Download