31c20d8ef052334c3e2d3bf165c02f20eb3ae7fdc0cb92981d4ba77c29007cf8

Analysis

max time kernel
61s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29/03/2023, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quZtuaf0.ps1
Size

3KB
MD5

ff1ef674dd573524d0a0f1eb025f6eb3
SHA1

63c60b274b4c3eeab1733620f8a229c9a1472f56
SHA256

31c20d8ef052334c3e2d3bf165c02f20eb3ae7fdc0cb92981d4ba77c29007cf8
SHA512

b2d85237bb3ec304544387283d0b6b6da737c1f461b7c49df5b0c61d417fa8411ec3365136630e1f27abf6de99e6023fa2c9ab834196611d0b95482316afef27

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1208	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1208	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 472	1208	powershell.exe	29
PID 1208 wrote to memory of 472	1208	powershell.exe	29
PID 1208 wrote to memory of 472	1208	powershell.exe	29
PID 472 wrote to memory of 524	472	csc.exe	30
PID 472 wrote to memory of 524	472	csc.exe	30
PID 472 wrote to memory of 524	472	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\quZtuaf0.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzd0mamg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1798.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1797.tmp"
    3⤵
    PID:524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1798.tmp

Filesize
1KB

MD5
137f0ce2ad4cad5174f19b76f55660ab

SHA1
5590463a499d75cbb6f170b11a4a1dfbe2b38192

SHA256
f64e3ac6cb541b43411950e673b68dcf59f975ec8d9bbbbc12de6940b05ff880

SHA512
6f5947be942455f74d75ef02e7675dc183f67e09861d9bb5fb23896be0f06b3cf268fe6df7775b80d3af3269f62bf1fbb57de5020247582f34ec253583214010

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzd0mamg.dll

Filesize
3KB

MD5
57455b2747a81ea2249b041fc2cf5b89

SHA1
5ab825842afdb79a7bd4b0b65c2594cb0ffbfd3b

SHA256
30dd8a4864f56dd886f89a8dc780af3778f3f773f08c1cd61cd832bd04fbd4b0

SHA512
8c9365d6fc49b947ce2aea2fc27c60136dbf6341b24b6fae2ae187f1c72a15fed9d9c0efaec3d89e907aec335efa4fe1385263094ece5dd2c85efd44bd27f7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzd0mamg.pdb

Filesize
7KB

MD5
4b4467d47c501d2ad0fb5fdb1a12466e

SHA1
999a0dbbde7a7fd5bc434ee7b5b2f45c4faa5b75

SHA256
b5b907a4fc4cac27b164f62c470eab71fe38e1cede9b529e0e0c5005d31bfa67

SHA512
d08d6c4f691bd9ae699ca3483b1c00f1db29ef2d27acbb027213a48912a02e42b86595556ca1485c361e2767759fc2853f3f4769f42874504a049aec990706f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1797.tmp

Filesize
652B

MD5
02f9c4c6cfa021ed34e53803e0ff8bd2

SHA1
a8a369b6c9bbc77d489880b52713f73a35ad1b1c

SHA256
319b7420e8c8ac470ca72843b200ea79932c551d4407f839872c4c2c791d78c6

SHA512
aa264c9d9655358f4104e2ba60d9a86654b0005ef5d3ecfb4b3994587ce755725322281bc1b2ec5d739aee2acebff905fca3e7609921eea75a5156459347d77a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yzd0mamg.0.cs

Filesize
675B

MD5
61a7afcfb915aa8b873e11a8494b0f2e

SHA1
893ce0a14d8cc37c7266425a5c05d358f0c2c7d3

SHA256
fdd65a6b830b7e3ab5d114f9f9aa5bdf4e47bbf0ed784389b6d6fd454c708470

SHA512
2c8d4dedc6ac8ce594ae06696fc1a23fb9ab4eee04168663ef24dc1092d29f3145c782e02e49f9e6562877ead1ec596873fb623679691b824a07db0c71e5c46d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yzd0mamg.cmdline

Filesize
309B

MD5
f8426e6ea1e009980ef263688a18b263

SHA1
03da4e0f5286e71f312af68538bea1ecff6481e0

SHA256
247bcb07558864b7b4f5bece9d03c5b258a6233af4baac11ba498305d0b88eed

SHA512
c2711b285c3560bc7106ee2685dbf426775d18d0fb1b7021e1d4056f531539e9697bdf242bf864c17baf15687ecd29bee729cdb6ad234f9b160c424354cc806f

Download Submit
memory/1208-66-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1208-58-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1208-65-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1208-64-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1208-76-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/1208-59-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/1208-79-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1208-80-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1208-81-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1208-82-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download