54f28031ae6742e825a113b0437db1d0d16bec6668629bc5bbe656446ce45db1

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04-04-2023 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3u.ps1
Size

2.2MB
MD5

f9400abd6228a51e8e05085eccafc313
SHA1

807dedf3cc9802a77885975e88027727999ab762
SHA256

54f28031ae6742e825a113b0437db1d0d16bec6668629bc5bbe656446ce45db1
SHA512

5d3413586fc066c9c006dfde4f1e8d1d8057a0cdd3024d7fdcf365c9a0b638763e3b143b9acb1f0ec2b652ab353d3d10e29ed5232f88901756697df8c7743a90
SSDEEP

24576:mRQnNmYwNUFN1Jt3ld6+1qek4SuB3o9JAmjwNSUJWEAm4Rvy7leMoG0Fi78:mR7eFNTg+1YjwvO+b78

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1596	powershell.exe
1596	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 580	1596	powershell.exe	29
PID 1596 wrote to memory of 580	1596	powershell.exe	29
PID 1596 wrote to memory of 580	1596	powershell.exe	29
PID 580 wrote to memory of 876	580	csc.exe	30
PID 580 wrote to memory of 876	580	csc.exe	30
PID 580 wrote to memory of 876	580	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\3u.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7fnowgci.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA6D.tmp"
    3⤵
    PID:876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7fnowgci.dll

Filesize
3KB

MD5
bc22ed01baef5ab6fde48c075e63caa4

SHA1
7b92d780273b2ad0996dd2788356f4f63b49bfaa

SHA256
e0d298fb06ada6cca1610c611ad8c28ec26a347463feff5d688d98a3ac6d462e

SHA512
858a338ae02c45be6fdcac5f142cf2937e01cf37b9c10de5c4c4e53b7536dda9c836a17d24d12d9177de1b153bb67f8bb22e73dc1a10d3b5ce3c2e892cd5fb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fnowgci.pdb

Filesize
7KB

MD5
a24f619d550281fb718c15fce70754a7

SHA1
2dfb31b7474bbfa1eed4308c6096c72812efaa3f

SHA256
d3f47cd8f6cb44de3d09ade5d614287fc37d53f84dedc449ff6d7024f1dc39d3

SHA512
0b4c3603da5b908e509f3222fff485cd7278d8e449ad0feb89ba68e172c230a3b25a0a6f4615abc75a6c3ab5cef8eb810afd103bc2441c0a99bc3c5d7e69ab21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA7E.tmp

Filesize
1KB

MD5
3502034d3194a65c8349b34a8d6b52c9

SHA1
74fcbc69086de3eac588a8fe7bcb760d3574623b

SHA256
476881f4fa7270a9a6bfae473abe3df282bc9829e9935ed7d6c6235b6583b3b5

SHA512
5f2498f6a627b359eb7308ec772e048f9d1b620a9c5dd0ed0a49465fff1f9bbf2ed7d3fc86cb16b3442765dd2f263ab1d8a1b636d7b3b8c7af5e78b277981212

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7fnowgci.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7fnowgci.cmdline

Filesize
309B

MD5
bc25c10e15f572bac5438c05dfe01754

SHA1
420f4be4053bc875056b0c50f3da3fc2d349794e

SHA256
7041d91adcafb844f9536163894b95321cccc47ee8bf26db86a110c3ced376ab

SHA512
ddc639ba59c732d00df2a02a99f2a31825e916900012bbf7b01c449aecf869c709b27ff01f65b450324cace2d160368c455f47a23cdf370c0ad875f770fb79df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA6D.tmp

Filesize
652B

MD5
655eb8afa9e05e67421132239fc36e43

SHA1
78c577a449b57cbfb1043b55cbe37550ed2fb3fa

SHA256
e0e42d79c73315d788989f8057d79a2e811d4ddfed5e0945e738d71922c3c0af

SHA512
35f3962d3e76b05b1ceb99d63bddd90fae036cb51a62c59de01c910a64a47ff91d90dde11282062878c1bd9a2d061740dbbf83f33ab633e045a135506fe75e6f

Download Submit
memory/1596-58-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/1596-59-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1596-60-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1596-61-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1596-62-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1596-76-0x000000001B190000-0x000000001B198000-memory.dmp

Filesize
32KB

Download