07f394e3db99be6f61c72753ed941e38b485fe436ddc02358dfa34c39ac9e0c5

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/03/2023, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

comics.ps1
Size

2.2MB
MD5

2809cc87a38fd5233134c7428b380f2d
SHA1

47f1282a61b8090c7b335059fd6408c573b061ca
SHA256

b75bb6ee05805acc5898ed2ce9f8313d20672acb1908693b1b368e71c169c447
SHA512

bc0afcd7ef86ca2cd40e7a489b8a523666412b6c43ea60b6615a2aa37fed49dc741d33af3b961dd76e2ca90f5d437838dd4b5cfb28500288d83433746083bc0e
SSDEEP

24576:wOctC+MG8fRwhhUSmA/xBCXaEGNFpz4vGE9TUUrKApoxELBczlB:KtCd9RwRa8rsvGyXoz

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1444	powershell.exe
1444	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 868	1444	powershell.exe	28
PID 1444 wrote to memory of 868	1444	powershell.exe	28
PID 1444 wrote to memory of 868	1444	powershell.exe	28
PID 868 wrote to memory of 584	868	csc.exe	29
PID 868 wrote to memory of 584	868	csc.exe	29
PID 868 wrote to memory of 584	868	csc.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\comics.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\deqvl3rd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A06.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A05.tmp"
    3⤵
    PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3A06.tmp

Filesize
1KB

MD5
6e061158b89680c2c62b31ff090c8191

SHA1
9b171cc6e44bac53288bca5d4299f98ca8391904

SHA256
fc78667f87c8e446d8e03d83e4df75ebe2c01b8897fad8be3ce4019db61ee778

SHA512
e501d8aec652a753ac8a29dc01a32ac52ed183aa6a5a851eb406fd8d47230ddb95e2b46458d178336e7aff54370494bc938d323c77fb419fec69477e0f2c7e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\deqvl3rd.dll

Filesize
3KB

MD5
90176bb068f8faf7bb4b3640bac95a27

SHA1
3e6765e8d0460ac1c16f84776038804f77182b9d

SHA256
2185f7181a0b8a2c6f7df44e8948353ad3acbe3a882406cc067eecd5458267e1

SHA512
5f1d855910ecf2e05309ae57b72847feac6ddcb7b293a3fbd3a2d6d24fc8fc122e66a2f3e7d0d41459bbdf68bfef2d8ddc51722fbf4c31ed1d29e56a332147f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\deqvl3rd.pdb

Filesize
7KB

MD5
fb44e6063dd6a67e71e75a91623bd168

SHA1
05d7cacc2f47d57cdd245254cc2bef736b3f2ab3

SHA256
e859ad96f678d57f37dee450b3cd0a2cb7cd905eeca28b79368bb1ab7c7716bf

SHA512
28c3c85043632c13c0025c419a933625f8a38cf3e85f2877dcd83ee03e9da91bbf157f5471e072c2d07e5f228b4baa5c2c11fe3bc49eaff531aeaf6ccb3ce6b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A05.tmp

Filesize
652B

MD5
30af20c84e679b89781201d667bb80d8

SHA1
dc4151748ae71da1f99af88e4d16f1fcd1828d7d

SHA256
1ee25ab125691c0acd4261ebdcde7a55daef1fc1656a765b026dbad988e22916

SHA512
c49a41b7625687fe9e7959bd6800adf6b6ff5c77e1c77a1427963970fb8afb6f79d8716eaea101118a736d1db0c1026ded62bc4ac9c31a5b06fd974c5c99811e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\deqvl3rd.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\deqvl3rd.cmdline

Filesize
309B

MD5
c11f4f51fcdc33d27043ea04922f53af

SHA1
29e6496d67bdb232a436bddd2c08d2a46325423a

SHA256
e94124b70bdc0bbcf5a5fd7fbcc2394fa6b00d4aeea040c3fd655513a9fdd48c

SHA512
df2d4ec9e430ba99d5a4898e1fd62e2193e5500bfcf8a0e0baebc82308db7fb2436e7877c8decdbf7ce97fe75df7578cfe36b94938e0a9ece63fa1855ea881ff

Download Submit
memory/1444-58-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1444-62-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1444-61-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1444-60-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1444-76-0x0000000002600000-0x0000000002608000-memory.dmp

Filesize
32KB

Download
memory/1444-59-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1444-79-0x000000000258B000-0x00000000025C2000-memory.dmp

Filesize
220KB

Download