8c9373fd5b6412df5a49ed8cbe38640d6b167ef79a83f9d25b2c2bff2417a8b2

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-04-2023 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bum.ps1
Size

2.2MB
MD5

95d1e51db007668a176e0203afb4816c
SHA1

e7856701d9c5de497b9c28465db059be6954f541
SHA256

8c9373fd5b6412df5a49ed8cbe38640d6b167ef79a83f9d25b2c2bff2417a8b2
SHA512

4f475b1d7a0698836c48a7d533851f879af954ff3e2871cbb62cd55c8f41ea4c876dc6be9eca48b81fa897894c41a224353f6490b3a59fd542fecb7f26dc413a
SSDEEP

24576:bb6zC8eTmNIpd0RBkc+wgzDQvnELa1EAuIhxXBdeS1YM/y+twTXgNdkXl8:bcamyVDSJ/7twTzy

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	powershell.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1480	2040	powershell.exe	29
PID 2040 wrote to memory of 1480	2040	powershell.exe	29
PID 2040 wrote to memory of 1480	2040	powershell.exe	29
PID 1480 wrote to memory of 928	1480	csc.exe	30
PID 1480 wrote to memory of 928	1480	csc.exe	30
PID 1480 wrote to memory of 928	1480	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bum.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bu70g0jp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1ED8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1ED7.tmp"
    3⤵
    PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1ED8.tmp

Filesize
1KB

MD5
dcbb06c9bc95f293dc50dc66420c15cc

SHA1
7d7370d9ad103b2a4f315fcd00a96f019ccaa519

SHA256
689325085d942c81c7d914550d3570769a12699f979f36e59f2f7c26c8238aa3

SHA512
d35506d5376c4f1a84e30989e89e68eff29c279203d4665c7c4080685ed3c0c0f8a4118f0ff07a41e2014aeeac91caa9ba9425b6e4d88a39e2cf0f22faf10f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\bu70g0jp.dll

Filesize
3KB

MD5
87f73a67cbae2572f2679da370ae2637

SHA1
b93d8baf6b744c710ae770589ae66e09b32a396d

SHA256
7e3f989ee5f78510e27564c825f76ae36010b464fb27409fac83659548961f10

SHA512
b71a8b30be251b466822043d3b6aec433c690c3e003351918faea020b517b920b7a0ad24c0125c29e3beec74e3932dbbe5d90fb634c3adcefe00860370285809

Download Submit
C:\Users\Admin\AppData\Local\Temp\bu70g0jp.pdb

Filesize
7KB

MD5
32c792c045eee12db20c761c64b8027b

SHA1
dbf7f7b9439424946286ad0e32e824026ff814ab

SHA256
064b9f13eb1567670f0102b14d1973f891bf6240283201da9c305e6b6decec91

SHA512
d5a067bd4bd882455126df6f5ace5f38e9e1ac9892a159a67ac699a6da4996197ea12630fb53803394f20bec80c4f4aa5c0dea59190b8c624c74cefe77fa6fbc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1ED7.tmp

Filesize
652B

MD5
e64add435f7331696e47f4cfc1b03377

SHA1
e01f83bc243b4c1a910696ad86f3e34ae6fb1f61

SHA256
c404952a9d9e7995eef8fbc2f7f216053fefb7f30a0ba5b21fd29dca245c5961

SHA512
423a481a474d82c3844ddfac69371fa8c9174f4d4afa3d182f7c520f355ff43ccfe42f90f3bf89f6a3b50d170852bca52b8b300aab7713d95e5a42bbd9042f58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bu70g0jp.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bu70g0jp.cmdline

Filesize
309B

MD5
108c347e5c51d60cb05d0b521d3dac43

SHA1
41dbf728a5f4d8d660e7a8c990756a50905b994b

SHA256
1205b88ec249758be67e64be38b23659d7472e816339410f5ff2da125b60d944

SHA512
737d060166c36f3f4dce404121d80c77442547e0c563df68873eb0c5be09b079310bf44e0c5fda5481868a0a9160ca5eedc6ce42b50aebab8df4a5bca82be21f

Download Submit
memory/2040-64-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2040-66-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2040-67-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2040-65-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2040-58-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2040-77-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2040-59-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download