5fba92b48687b8cbaf19410ed222c6a77443bb146ffbcdf432c7d59381ca1567

Resubmissions

21/04/2023, 18:11

230421-wslxpahc47 3

21/04/2023, 17:23

230421-vylnfaha68 3

21/04/2023, 17:21

230421-vxcddaha62 1

Analysis

max time kernel
24s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/04/2023, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACMobile.UWP_3.13.9.0_Test/Install.ps1
Size

13KB
MD5

dd937d9ed27f42ff0ed121c977702a9f
SHA1

b48dbaac31d8dee5b4224f758c374f7c6df35b68
SHA256

dc07e5b80c0df8263719a7d5fe3d6352cab8cfd19aac9b046c2d760ba1306fca
SHA512

a899eb44ef82315c6abb7d9cd98ffd1c3eb981b17d491e44c4873e3334971b9d0b7c0251b7ea843c952229263db36cb764bbc707c805f550d91fc4f4477cce38
SSDEEP

384:XYdB0dtRynIcRsG5B3u0pv7s8yto9lPbFKYbIagfeiiTBRJfYQHm:XYdB0dtRKIosiBDTs3a9lPEYMaCePtRS

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
824	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 668	824	powershell.exe	29
PID 824 wrote to memory of 668	824	powershell.exe	29
PID 824 wrote to memory of 668	824	powershell.exe	29
PID 668 wrote to memory of 1632	668	csc.exe	30
PID 668 wrote to memory of 1632	668	csc.exe	30
PID 668 wrote to memory of 1632	668	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Install.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\67xlbnr8.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1D42.tmp"
    3⤵
    PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\67xlbnr8.dll

Filesize
3KB

MD5
344dea653cbe5c88d7d64c12c064b19c

SHA1
4f283077e439c66553449ef7a18efc6d60d1fc8f

SHA256
9d4af3c40ae5ac8918e6a99510d45f55234b7bb5da25317970ac900a462f8c97

SHA512
d528c2ce034d7e17198c6858baf0dff632df124e69d2fc7b17370d9f659bb128355feb0c746a4156457f3c35da024a45cc03fb40466b371e3cc1c95def9f6123

Download Submit
C:\Users\Admin\AppData\Local\Temp\67xlbnr8.pdb

Filesize
7KB

MD5
b6201007c1bdb2072f97e9855f2c6420

SHA1
d59202d7880a92e6395764961bec0e9dfeabed13

SHA256
15a45b2164414384999b7bac51a613e531d885840d2898839d234958152901d7

SHA512
4cd9b3ec8027b8b64430c2dac0c4f0c2cc98189fcfca28884ed3b7126ed6e3200855093ce5e989808a16155b6e19862a73a574cf6a917b7e1e3ddf24651a062d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1D43.tmp

Filesize
1KB

MD5
a18d028fb463039d9b4b668c7d3f7a13

SHA1
4c03e6e23345e02f277f355f3534942f2c41aa98

SHA256
e51951a8596aa444a5540a96c13868dafd86c1199e7d7abc51f7da55a13378b4

SHA512
e5605b36df4f0f670b1b24a0d5d0fe95334e849518edd48c6c2e42759b812d1573142a1bd501282f96fefc088262809734d906a2bd40838f58a738979c650b09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\67xlbnr8.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\67xlbnr8.cmdline

Filesize
309B

MD5
ade6fd40448a05aee612bad57b2f6c4d

SHA1
4c5c72ed39e9846746ca15a50b22985b9156e6f0

SHA256
ebfb8892a932541842b054091219ba56dc26975c7ab2de7f55b8f1a005d0ebcd

SHA512
7e4e84c35bed46f3f509f4ee9194982696e5e328d34ce1f652b950546f88d0245f92e65b94d066ba182e965e16d641233883b9cdcb9aec1d0b3d2fca321e4cd5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1D42.tmp

Filesize
652B

MD5
2682775af668a8697426b4404cfeb426

SHA1
d6bc6f461b56e958b77cd887594838f1cdd5efa5

SHA256
c8e1df679f6af96eb0735155571a603cfdca84e4b77830bb481bde350b40b49b

SHA512
ba315df2be50afc87ca0f708f2503c22ec1089d8e5c4a81bddfcc66000d13ff2a00ae463a2afb658f820dbeb989f386c638d2cbebf56c26c8e774467410bd023

Download Submit
memory/824-58-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/824-59-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/824-60-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/824-61-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/824-62-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/824-76-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download