5fba92b48687b8cbaf19410ed222c6a77443bb146ffbcdf432c7d59381ca1567

Resubmissions

21-04-2023 18:11

230421-wslxpahc47 3

21-04-2023 17:23

230421-vylnfaha68 3

21-04-2023 17:21

230421-vxcddaha62 1

Analysis

max time kernel
82s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2023 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACMobile.UWP_3.13.9.0_Test/Add-AppDevPackage.ps1
Size

36KB
MD5

d4314b32d1a7d3622c083da53e7b62fb
SHA1

7495dbaaf794fd896560969681cb247dff2194ef
SHA256

afa90d0699ad7ee3644b74903fdfe8d3efcef216710d77594ab98a74fe1f55b9
SHA512

c64acf9a1ae326a396752365dc38e4ce255320da2a2fcdd7fc12d79a8e6e0f1147330b84c3398015e73e95fe8324622cbacb544cbb4f5b07f5a65d8b7916733a
SSDEEP

768:9qm7sDio+bTVYIBCesTW1jB0dtRKIosiBDTp329SGMacePtRJfB78r:deI1sTZRfi1d329SL0FZY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1548	2452	powershell.exe	84
PID 2452 wrote to memory of 1548	2452	powershell.exe	84
PID 1548 wrote to memory of 3200	1548	csc.exe	85
PID 1548 wrote to memory of 3200	1548	csc.exe	85
PID 2452 wrote to memory of 4792	2452	powershell.exe	86
PID 2452 wrote to memory of 4792	2452	powershell.exe	86
PID 2452 wrote to memory of 2236	2452	powershell.exe	87
PID 2452 wrote to memory of 2236	2452	powershell.exe	87
PID 2236 wrote to memory of 2120	2236	powershell.exe	89
PID 2236 wrote to memory of 2120	2236	powershell.exe	89
PID 2120 wrote to memory of 3552	2120	csc.exe	90
PID 2120 wrote to memory of 3552	2120	csc.exe	90
PID 2236 wrote to memory of 1980	2236	powershell.exe	98
PID 2236 wrote to memory of 1980	2236	powershell.exe	98

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u4txgrll\u4txgrll.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES985D.tmp" "c:\Users\Admin\AppData\Local\Temp\u4txgrll\CSCF6DF7E6B357B47AC939F5B9E71DBFF39.TMP"
    3⤵
    PID:3200
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -verify C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer
  2⤵
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1" -GetDeveloperLicense -CertificatePath "C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zzabb42m\zzabb42m.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA85A.tmp" "c:\Users\Admin\AppData\Local\Temp\zzabb42m\CSC404DEB49A96344D593B61ADBA776FE67.TMP"
      4⤵
      PID:3552
- - C:\Windows\system32\certutil.exe
    "C:\Windows\system32\certutil.exe" -verify C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer
    3⤵
    PID:1980

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4136

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\APPX.7v_y9l2k30jrdfw5g8izb2eug.tmp

Filesize
1KB

MD5
1e3e9426b2b7090d86c9173101be7777

SHA1
f4c6df39277e060ddf96e8431499e880a4007ca6

SHA256
626e415589b459bb1e4f44452298be280a243a92cfdd5077acb142630b653583

SHA512
ccf2a3922d35dabd196988612954d650ea70660c79418355275bed149588b1bc25e43d3a05f0693d31b3bc3387c666428fa65e625ad56010feeeb9f1a5de9c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\APPX.g7bhsz10vwmgw29rutoshod0f.tmp

Filesize
1KB

MD5
ff363a8643bf14f5880c92ebabe873bf

SHA1
5900c9eadb831d0555ea26a77d988e60be49fd51

SHA256
4ab1dbae2e034cae492e3345d619d5b86e99db02b9b251b19f6f0f5f1dc54f7d

SHA512
906db6e23b159832d30d278c92b78fdb16df9d85a42fa6ffb14a7f059c7dfc13f83119013f44f8bcbff6027f2a40903bacc0ca5d6fa8b5b2864328bfefa75e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\APPX.yudp_wgfqbt346zbvuje237hc.tmp

Filesize
338B

MD5
98dc0abbca5be2f9ce9e1816a8d526af

SHA1
b96230531a9ab54b52ecd34f2f9dad9be47ab0be

SHA256
630e77651ff6164d5fd984b4646da223027dcb42c002b3f1ea95173f3dead8cb

SHA512
7f979b21db1bd84d9709bd48d49a80ae6f7bc8315d660874e573bdbdfe66a0517a96a9135a25749545e4dd4a7c518d34a28d4cd719e4730797f7c6a8bcc472df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES985D.tmp

Filesize
1KB

MD5
b6a9b3abdad07cd912f1a1659a38eda2

SHA1
a7f48484dbdfd902e10a6d7337b141394770dd8d

SHA256
d83714eda55ca645da442e42a7125bf55d35b3cb3cf0cc22ae3af89ee728f5a8

SHA512
bc693ea5e4a05e87efaae18baa5a7f176b3b1eef6eb40b68430e92d779a902e0a519761b0c6516317faa836f5083c81cb17bcebcf2c9c1de0d4394793a5abba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA85A.tmp

Filesize
1KB

MD5
e71c56543ff9e70d4e5c16ec8b4b43c8

SHA1
152af6432259a9ac0d4b0bc8333eb5205418a011

SHA256
7e3cce306ca51139f3d2a7db9d5a81623b640adfd74c2602f737e5a16dca364f

SHA512
99e17719c4c73cb0adf6c0918a443c19bf556de1390dfdc00a5d120a3f957f95a7beb108e28ffa128544b2ded08ebb6fc332710cd6d0a5e9ae4d8be654148bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dx4fcz05.dc4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4txgrll\u4txgrll.dll

Filesize
3KB

MD5
2badcf6ba29c907f8f38c0066bcfc666

SHA1
a4fc087cacfd14101db32446abe71bde50d81cee

SHA256
a0c0d367dab318fce6b126c96dca98d7e72864709beb701dfd7114160ea93017

SHA512
886fe47b5783856110c37d91a6215e3e940251112b287ab0b87bd73b1a606ad90b3be4f79cb13876f445ce4b142d740fe8c31db829e2599b9eda9c694d505011

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzabb42m\zzabb42m.dll

Filesize
3KB

MD5
1060ebbbd1d44558349761b6d5377e9e

SHA1
ffedd773fb1bd635c94d4db158aa5c73fdcbdf20

SHA256
9cc2c8b94a44600f20874ba9d185acaf2be6b229865d7836b4b51ae5c4e251ad

SHA512
ed91ef67d01f26cff5668be2e1a3cbbbdd3c1e6c4fc3e6018f74ae52ca3562914be0d95bcb243e4cfb79f424795fd9fb3ba26ac4073d72413b01aec3dd82e203

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u4txgrll\CSCF6DF7E6B357B47AC939F5B9E71DBFF39.TMP

Filesize
652B

MD5
67a8d7d7ea7708c6664c48b70fa11e6f

SHA1
9af1f1c9fd46789803be8212bf46647b5b37fdbd

SHA256
170d9551357b974d5e97e6774025653a3eace2ac776b94014f2434d263163824

SHA512
cadefecd60dd34fab79831c25fa2cb935fdfc06ec57f6d2b7e1b60786cfab1bb258924439550c08f618005dd3f1bc82590ca5aaba47468954c2732f93a4e4181

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u4txgrll\u4txgrll.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u4txgrll\u4txgrll.cmdline

Filesize
369B

MD5
f364ba4ba5e08f1d43559fcb0ead66f5

SHA1
8b3a2beba796ed7eaa0b34f0d6dde1ddd344feca

SHA256
2bffce6c5065d8043e9fa2e3b470435526cab6d39848f650ce4cafe527e3f1ee

SHA512
74973c21574133a9b8e0311942bdfe59aeb4e6aec117852c2564774d6278ed218508b950b11a4482ac82cc044829017b7b545b217bcd33fa1bbea817747d24dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzabb42m\CSC404DEB49A96344D593B61ADBA776FE67.TMP

Filesize
652B

MD5
6c2235701bd15a5908b938204262673b

SHA1
db729d018f644a75fb4a5104346d9065386b4045

SHA256
10393e3cca8d3b0db1861893d25837563c5bff5944d38b53aa8346435b594b49

SHA512
f7256ebfd7137585f819718127813271455370a6a0748145ac6e91f2e8e2f8c563d54ae2a453405033858839c38b9e61299684e37accba6f5a120191066a7cb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzabb42m\zzabb42m.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zzabb42m\zzabb42m.cmdline

Filesize
369B

MD5
4aebaf412368daa444e6ca21aa76861b

SHA1
17d06170d8efb65296191e4363a633ded8293169

SHA256
256e0136d291b0a2cb1f91644b644e346cffa2b6bb6b7c73fb76b423f2ba8094

SHA512
e4dc715a6944db79910d4d720022e7ddfd7f0b8cee0f7b5f2bfb7740e2bb7f325fe10458385bca5bf487ce473c3727808367283408d6296aa6e9c916d13d4e0f

Download Submit
memory/2236-208-0x00000282B3340000-0x00000282B3350000-memory.dmp

Filesize
64KB

Download
memory/2236-222-0x00000282B3340000-0x00000282B3350000-memory.dmp

Filesize
64KB

Download
memory/2236-228-0x00000282B3340000-0x00000282B3350000-memory.dmp

Filesize
64KB

Download
memory/2236-227-0x00000282B3340000-0x00000282B3350000-memory.dmp

Filesize
64KB

Download
memory/2236-207-0x00000282B3340000-0x00000282B3350000-memory.dmp

Filesize
64KB

Download
memory/2236-226-0x00000282B3340000-0x00000282B3350000-memory.dmp

Filesize
64KB

Download
memory/2452-145-0x0000016595C50000-0x0000016595C60000-memory.dmp

Filesize
64KB

Download
memory/2452-143-0x0000016595C50000-0x0000016595C60000-memory.dmp

Filesize
64KB

Download
memory/2452-223-0x0000016595C50000-0x0000016595C60000-memory.dmp

Filesize
64KB

Download
memory/2452-224-0x0000016595C50000-0x0000016595C60000-memory.dmp

Filesize
64KB

Download
memory/2452-225-0x0000016595C50000-0x0000016595C60000-memory.dmp

Filesize
64KB

Download
memory/2452-144-0x0000016595C50000-0x0000016595C60000-memory.dmp

Filesize
64KB

Download
memory/2452-195-0x00000165B12F0000-0x00000165B12FA000-memory.dmp

Filesize
40KB

Download
memory/2452-133-0x00000165B05A0000-0x00000165B05C2000-memory.dmp

Filesize
136KB

Download