3cb26bbe24bf7d7f3e224efea1d244ed89b7305ad45a5804a26405ddc4ced73c

Analysis

max time kernel
30s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-03-2023 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

english.ps1
Size

2.2MB
MD5

e560c98fa5542185d5fc2f48d96b46f9
SHA1

539e5e720a8e9e3e7ced26b706c63a38496be1af
SHA256

3cb26bbe24bf7d7f3e224efea1d244ed89b7305ad45a5804a26405ddc4ced73c
SHA512

d63482073541a5be2217f6b91c5f773a7aa40e9bcd7deaf7953909e2819d478c987b3a5aa77d36b62408a76d267b4118a2eb6e9e711ba8a82692842c0ac796bc
SSDEEP

24576:itr8i7vgeGn0iwEhOSmH/wBC9aU+NFfz4hG9Kq8UHKpvFXErBc1IuQw:C7vhtiwmOUdshGVvWw6

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1504	powershell.exe
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1332	1504	powershell.exe	28
PID 1504 wrote to memory of 1332	1504	powershell.exe	28
PID 1504 wrote to memory of 1332	1504	powershell.exe	28
PID 1332 wrote to memory of 852	1332	csc.exe	29
PID 1332 wrote to memory of 852	1332	csc.exe	29
PID 1332 wrote to memory of 852	1332	csc.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\english.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwhd4ers.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4433.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4423.tmp"
    3⤵
    PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4433.tmp

Filesize
1KB

MD5
8426cfd2479e1ed3326c8f672a3e9390

SHA1
3aa7ff0a84737b61d010811c8dab741f709b313d

SHA256
e9efde170260acacb67999f287f091bfeb1d47abcd1fef389daa2ae7d1a52999

SHA512
aa56f7844441fc62c9689e4680abccd426b1a06475bfc24b0a265a4290ddaabe3befb1c5bfba2fd2fba2b5882a733499d6611bc462f9552a5ffcb784bf9d2bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwhd4ers.dll

Filesize
3KB

MD5
ff9e80123c4b23f4233c0d756be1e5ea

SHA1
9544a7cca6acd0c075a6d4442f527d695b5de81f

SHA256
cf0f9336f20e61ef993a8b5dcea174f26f868556a6260f6a2a4940baaf39d7ed

SHA512
f55ad3b85f3ea755b98872b1144f79432448ee9fa2578eddc79645445a18ae9fa78da927bad0670dc2b932d13ef8c943bcb679cd5b6eae7e94cf90999601affc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwhd4ers.pdb

Filesize
7KB

MD5
e5dc4c4be2fbf8881fbd72e68a07fe14

SHA1
da33fa1b92534d92ea41b684c5023739c43ebc36

SHA256
ea12553558211690a92c232aa4ac01fd3fcc85f11c7d7024f3f6cc7851c30260

SHA512
6b169a2d3c636c2c75b109cce8e8f30984a032ccfd0bd43ebb8cfd56352355c1ff31a028dfa7f8f11a76e2d66dd6699793060e916476a832238d453f6e2f9133

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4423.tmp

Filesize
652B

MD5
830e45c41b076f0ab9cb916d7e019c0a

SHA1
5c4594226faadd6b6269303416c7ed30d1e04478

SHA256
9766ad7aca394d30e0e3b138cfcdfc20df3b0832116a3dec348a2c9580e5b8ad

SHA512
26fd04a88ce343351efc2446ddea966e0527cfcef44546373e6cdd2c4ac33d1c21662c4069fb3ba49cf0964b7807b8cffbf16880f9ce2bddcaa44e12dfce4673

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwhd4ers.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwhd4ers.cmdline

Filesize
309B

MD5
475348da60a937de3597fedb719260ac

SHA1
cae2af40f574ecfbe7e2937b846613c0627a5f02

SHA256
8845d3daf9002037aedd2977d5b56f47e8e99795c47f1417a192331d8a04fa8c

SHA512
b8494f49ee8968657e7d122bf9af2c4967c665e7d647e46ff26e91f9a67487381b41ab0b007e535583245406b65e3b03af9343d18a3e776622ecf9689890d7be

Download Submit
memory/1504-58-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1504-59-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1504-60-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download
memory/1504-61-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1504-67-0x0000000002800000-0x0000000002880000-memory.dmp

Filesize
512KB

Download
memory/1504-76-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download