5fba92b48687b8cbaf19410ed222c6a77443bb146ffbcdf432c7d59381ca1567

Resubmissions

21/04/2023, 18:11

230421-wslxpahc47 3

21/04/2023, 17:23

230421-vylnfaha68 3

21/04/2023, 17:21

230421-vxcddaha62 1

Analysis

max time kernel
28s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/04/2023, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACMobile.UWP_3.13.9.0_Test/Add-AppDevPackage.ps1
Size

36KB
MD5

d4314b32d1a7d3622c083da53e7b62fb
SHA1

7495dbaaf794fd896560969681cb247dff2194ef
SHA256

afa90d0699ad7ee3644b74903fdfe8d3efcef216710d77594ab98a74fe1f55b9
SHA512

c64acf9a1ae326a396752365dc38e4ce255320da2a2fcdd7fc12d79a8e6e0f1147330b84c3398015e73e95fe8324622cbacb544cbb4f5b07f5a65d8b7916733a
SSDEEP

768:9qm7sDio+bTVYIBCesTW1jB0dtRKIosiBDTp329SGMacePtRJfB78r:deI1sTZRfi1d329SL0FZY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1724	powershell.exe
1724	powershell.exe
1724	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 296	1724	powershell.exe	29
PID 1724 wrote to memory of 296	1724	powershell.exe	29
PID 1724 wrote to memory of 296	1724	powershell.exe	29
PID 296 wrote to memory of 1664	296	csc.exe	30
PID 296 wrote to memory of 1664	296	csc.exe	30
PID 296 wrote to memory of 1664	296	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\napaowgg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16AE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC16AD.tmp"
    3⤵
    PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES16AE.tmp

Filesize
1KB

MD5
e54ca6bc23acaed3b379c32762d08da0

SHA1
0b515fc09fc2fe81ab9c4cd2fff0860e50671652

SHA256
9b19ed2c068d4624381a0e1b1490afbca6949e5feef04564cedaf3fdfffa0be1

SHA512
bed4cb543b69ccbaa746ab798d70911d2b1842fc473fc05b95841377b47afae6288ff69a8fa679345f82252b4cf4cc5962fbab1a63083008abfc518a5b73475d

Download Submit
C:\Users\Admin\AppData\Local\Temp\napaowgg.dll

Filesize
3KB

MD5
87a69187a289de600c6b154ffb965417

SHA1
0b2cbb0cd27abf477f19c30a196cd9ea5084e47a

SHA256
685bbb8807f14e0f20cb245e310a2655821a5b19f3957f9ce9323565082ed9be

SHA512
3aa958aaa1924a3aed1a61ad478de122bf23a92287fed2a5b50844ae48690358af3e734a11bd338b916d4ff1e94af6d63fe2e79bede8ad357f7b3c45cbcfcfd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\napaowgg.pdb

Filesize
7KB

MD5
c1804667be34f071bc18ad5bbc80a6c2

SHA1
610677a9d376e8a30b44e49c3a66a2767fe78aaf

SHA256
cffdf6f956724e666461761ac82ea30741def7c2a176532e0c43e50955b6f0b8

SHA512
eeeb1ac0e8c3c156e2cea20e823cfeee651f8716472900b34de3e1aa1b0e350ef5c22c8a454ba3ee21af5f5609c84bde16113caa5c57c01e01ed4fbbabdf61ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC16AD.tmp

Filesize
652B

MD5
e319cf51bd682c26f1c7ba55f172eef9

SHA1
e742d46d2f0d8e286b878a804cf650bb2a157ff9

SHA256
2ad257aeee64bd14517ff41298493fd4606d34ee094e78874e9931e117adce91

SHA512
93fa13ce056dcab778a5e4a829ac061fcff784dd274e1bd7a4e1ea19ced04608abc6ecc7f2d447671362cdbcd6d1f0d5d29088abaeaa75b1d9e314d7629eee3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\napaowgg.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\napaowgg.cmdline

Filesize
309B

MD5
9470257232d31181350920dcf6a82e4a

SHA1
691310a7abf91a84a7f9d0e00bfb228f17c808c6

SHA256
0e03bad8028b44252dc98497aa2c5bd56cf9a05db0053cf14e91c0b5d2018de6

SHA512
fed00f1ff20d5ffecfb053626faff5bc9194d82342a16e2ddf000796fd71106af8e69fd56d6fa8c4607039c4286b8b3f111f83ce9c6f61db13ed6b321d617b5b

Download Submit
memory/1724-58-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/1724-59-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1724-60-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1724-61-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1724-62-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1724-76-0x000000001B210000-0x000000001B218000-memory.dmp

Filesize
32KB

Download