5fba92b48687b8cbaf19410ed222c6a77443bb146ffbcdf432c7d59381ca1567

Resubmissions

21/04/2023, 18:11

230421-wslxpahc47 3

21/04/2023, 17:23

230421-vylnfaha68 3

21/04/2023, 17:21

230421-vxcddaha62 1

Analysis

max time kernel
28s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/04/2023, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACMobile.UWP_3.13.9.0_Test/Add-AppDevPackage.ps1
Size

36KB
MD5

d4314b32d1a7d3622c083da53e7b62fb
SHA1

7495dbaaf794fd896560969681cb247dff2194ef
SHA256

afa90d0699ad7ee3644b74903fdfe8d3efcef216710d77594ab98a74fe1f55b9
SHA512

c64acf9a1ae326a396752365dc38e4ce255320da2a2fcdd7fc12d79a8e6e0f1147330b84c3398015e73e95fe8324622cbacb544cbb4f5b07f5a65d8b7916733a
SSDEEP

768:9qm7sDio+bTVYIBCesTW1jB0dtRKIosiBDTp329SGMacePtRJfB78r:deI1sTZRfi1d329SL0FZY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 540	2044	powershell.exe	29
PID 2044 wrote to memory of 540	2044	powershell.exe	29
PID 2044 wrote to memory of 540	2044	powershell.exe	29
PID 540 wrote to memory of 516	540	csc.exe	30
PID 540 wrote to memory of 516	540	csc.exe	30
PID 540 wrote to memory of 516	540	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vjjyxyhx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES174A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1739.tmp"
    3⤵
    PID:516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES174A.tmp

Filesize
1KB

MD5
116e31d57138573354d92f9cda97b420

SHA1
87ab5ad2b212c40bfcb804e2e6601ce74c0ed90d

SHA256
fe2bbf500fb54e45d436b6e10b84bfd83c29574fcba10d9ec0907e078c602640

SHA512
576e5820c2ef2bd2a4dbccf571c1bd7ea33ff7e91e5eefb4fd9b553176c427c69a369f0545cf9e131d53750238e76ae5d61ac7f989bda7075b72ad9d122e5111

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjjyxyhx.dll

Filesize
3KB

MD5
9fc43371c700a604a7e09fc5e082606f

SHA1
f434bc1cd4e28a5d7fd16e5aa5e225b4777ed4e1

SHA256
95dfca6eef3a078b0811eaea67c502095539bb1e81774e11825311e87f23e2a9

SHA512
c036d4496183c8dd5a5b4e3ca03b200d75faa977e2287bd02c7797186ed4b07712a95dec78f18bfc1aec08858a486b39aacce24b04e164d3af49ffd6f327655f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjjyxyhx.pdb

Filesize
7KB

MD5
6ea1570e2380f51711f97eb31da19b7c

SHA1
7ee11b0191660d9ce08dbec65ace4cbc6f51c44c

SHA256
3372d3dfeda12101ad5e0dc95f9dba0034bf1bc9d0c3f88f459ffbcf439ae56c

SHA512
5f864caa133236105e37a753b013bd331be5bb737afd5ba812f570075eb2e07e3f31edd89a46e5462a4d24e6e78aa39444dca2f68d577ccb379ae7f51ae058e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1739.tmp

Filesize
652B

MD5
b43b677a89b7a0d6d5982f2c13808fbf

SHA1
f2da89a34d4140c0a981a0c3c9e748ff06bebba4

SHA256
464cf874306836de835392ee1aa1796d2b3763e7e674ba53c117e1a8859d131b

SHA512
fb3404a5eed52aa57e052c2f1c20880c045c43613a2d1d4a644c9448434bf766c60c7bef951393a8319e56ef8b72fa185d6bc81339839074d2b3b4f2d588d00a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vjjyxyhx.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vjjyxyhx.cmdline

Filesize
309B

MD5
1c267a9183d2b21d07bfe48648f31f5c

SHA1
18211bb9e1e99f935f458b4bbada13557afbb8a3

SHA256
4772d2ccb50320338913bf33d2d0ab5e34336fef67e2ae4dd92eb0b78fbd4f14

SHA512
ac9661ece5866b950f5ee946f0b70f6ecfe820fed9f5cc9c844c328a034050ceb1373ab765de364ac6cc06336f9f727e21e550bc0bc17287ec43ca49b3ba7104

Download Submit
memory/2044-58-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2044-59-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2044-60-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2044-61-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2044-62-0x0000000002790000-0x0000000002810000-memory.dmp

Filesize
512KB

Download
memory/2044-76-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download