5fba92b48687b8cbaf19410ed222c6a77443bb146ffbcdf432c7d59381ca1567

Resubmissions

21/04/2023, 18:11

230421-wslxpahc47 3

21/04/2023, 17:23

230421-vylnfaha68 3

21/04/2023, 17:21

230421-vxcddaha62 1

Analysis

max time kernel
66s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACMobile.UWP_3.13.9.0_Test/Add-AppDevPackage.ps1
Size

36KB
MD5

d4314b32d1a7d3622c083da53e7b62fb
SHA1

7495dbaaf794fd896560969681cb247dff2194ef
SHA256

afa90d0699ad7ee3644b74903fdfe8d3efcef216710d77594ab98a74fe1f55b9
SHA512

c64acf9a1ae326a396752365dc38e4ce255320da2a2fcdd7fc12d79a8e6e0f1147330b84c3398015e73e95fe8324622cbacb544cbb4f5b07f5a65d8b7916733a
SSDEEP

768:9qm7sDio+bTVYIBCesTW1jB0dtRKIosiBDTp329SGMacePtRJfB78r:deI1sTZRfi1d329SL0FZY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
776	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 1488	776	powershell.exe	83
PID 776 wrote to memory of 1488	776	powershell.exe	83
PID 1488 wrote to memory of 4220	1488	csc.exe	84
PID 1488 wrote to memory of 4220	1488	csc.exe	84
PID 776 wrote to memory of 2156	776	powershell.exe	85
PID 776 wrote to memory of 2156	776	powershell.exe	85
PID 776 wrote to memory of 4560	776	powershell.exe	86
PID 776 wrote to memory of 4560	776	powershell.exe	86
PID 4560 wrote to memory of 5036	4560	powershell.exe	88
PID 4560 wrote to memory of 5036	4560	powershell.exe	88
PID 5036 wrote to memory of 2708	5036	csc.exe	89
PID 5036 wrote to memory of 2708	5036	csc.exe	89
PID 4560 wrote to memory of 5072	4560	powershell.exe	97
PID 4560 wrote to memory of 5072	4560	powershell.exe	97

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tt3bd13j\tt3bd13j.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85EE.tmp" "c:\Users\Admin\AppData\Local\Temp\tt3bd13j\CSC9701CD07A81443DAB0F1D2CFA6F61D3A.TMP"
    3⤵
    PID:4220
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -verify C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer
  2⤵
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1" -GetDeveloperLicense -CertificatePath "C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ovszohxy\ovszohxy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES956F.tmp" "c:\Users\Admin\AppData\Local\Temp\ovszohxy\CSC8C7CDF8E6DEE4DB0BF49CEF46B999FD.TMP"
      4⤵
      PID:2708
- - C:\Windows\system32\certutil.exe
    "C:\Windows\system32\certutil.exe" -verify C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer
    3⤵
    PID:5072

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:3552

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\APPX.6bbky5bp7rzbd8r10rvnu0dvc.tmp

Filesize
1KB

MD5
1e3e9426b2b7090d86c9173101be7777

SHA1
f4c6df39277e060ddf96e8431499e880a4007ca6

SHA256
626e415589b459bb1e4f44452298be280a243a92cfdd5077acb142630b653583

SHA512
ccf2a3922d35dabd196988612954d650ea70660c79418355275bed149588b1bc25e43d3a05f0693d31b3bc3387c666428fa65e625ad56010feeeb9f1a5de9c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\APPX.dndrd3js_r1acxx3tzmj0ctff.tmp

Filesize
1KB

MD5
ff363a8643bf14f5880c92ebabe873bf

SHA1
5900c9eadb831d0555ea26a77d988e60be49fd51

SHA256
4ab1dbae2e034cae492e3345d619d5b86e99db02b9b251b19f6f0f5f1dc54f7d

SHA512
906db6e23b159832d30d278c92b78fdb16df9d85a42fa6ffb14a7f059c7dfc13f83119013f44f8bcbff6027f2a40903bacc0ca5d6fa8b5b2864328bfefa75e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\APPX.filbixx6y3waxe4rd9lnbyd1e.tmp

Filesize
338B

MD5
98dc0abbca5be2f9ce9e1816a8d526af

SHA1
b96230531a9ab54b52ecd34f2f9dad9be47ab0be

SHA256
630e77651ff6164d5fd984b4646da223027dcb42c002b3f1ea95173f3dead8cb

SHA512
7f979b21db1bd84d9709bd48d49a80ae6f7bc8315d660874e573bdbdfe66a0517a96a9135a25749545e4dd4a7c518d34a28d4cd719e4730797f7c6a8bcc472df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES85EE.tmp

Filesize
1KB

MD5
0d1a9607ce2924b7fbd02b90efee856a

SHA1
fad3546ee5992c37bf2e2e35b80efc5b6ff93575

SHA256
676d40aef049efceedd76ae6392e0f5d2a9e6ece0732ff4f083adb413109e131

SHA512
b8950e69132ef198e15163c40714a3fe5d78e77cd5b13043b63427d4983d404eab7801a1a4377f9a52abdf3eb1e429fa74dd6c0f452d1b8f62d0daa7e3b3d5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES956F.tmp

Filesize
1KB

MD5
9d7b388fc1b0639c6a338da0d5a5fe86

SHA1
7144886a144dfdccc139851951e40d3fc3dbd564

SHA256
a75f1a578b23ce48da6331027eaa13fbfbebc8e0ef3bdd2a0c4c32523b5cb7d2

SHA512
3504c993a2f6b24564d693e735eeb70d483f698d92b564c46f28fa7235934f05e0f6a04eca9705dc76668d1701ba33cd5002e0e08418b54378bef478558d8859

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kht1conq.ol1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovszohxy\ovszohxy.dll

Filesize
3KB

MD5
1a420bfe5ed8917a71ca5e92577c70dd

SHA1
a46da7bea2cd61b9559f7bc367c78391050f3bcb

SHA256
3211a1113e994a7207cf9f293b9a8b14de0a77bcd16dde34b53050511c44060a

SHA512
e416c16517df5b078fb68090ded3939dece1eaeb11768141733b07577d235560365468ff7cc2c316716f55b5946948af0dea41c25235c2bdcf4961477dee5ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tt3bd13j\tt3bd13j.dll

Filesize
3KB

MD5
a6c9b8066e9ddfc6698252e7a1bdc869

SHA1
65ff1d2b277d7abb7c0284615a303301c6bc4a0e

SHA256
9415851a4480590ac4045782777f8ca9fd8cb9f30c4142acb416b54783430a17

SHA512
2a137b156e3163a45940e23e7864abbcb6481a2fcc9da8aac5c20fae3e80983bd13fd66478b222cae2bf9d5005a130ea5591725fffdb23ed587810948f9f59ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ovszohxy\CSC8C7CDF8E6DEE4DB0BF49CEF46B999FD.TMP

Filesize
652B

MD5
bae46d68f2165125aed4edb377e0f369

SHA1
626e95bc2c53052fc59919b295391d34a00138e8

SHA256
72c9e352b8ebe1d7396483c9614d473e220e823b0512dce3647ed4fe37e5698e

SHA512
8183e3608f23dfd2da4fe2f6b598aa36e6fcdcb913ce5ff77efddafedda3e41e4e5d12c4ef67723be92b3ac866185fbf02039af3abfea301d4f87c8b6f0a694d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ovszohxy\ovszohxy.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ovszohxy\ovszohxy.cmdline

Filesize
369B

MD5
546a4a65c5f4a1b5c9d1306a13d11d2e

SHA1
5c291b0e969ac48811de3c1ccc9d69216bd6be82

SHA256
b6c9b02c55f24e0e30c261fa5571b89fb0bd5b2205c146aa5821d3f2d060c147

SHA512
efdb8528b3169470f15f0c0bf2b12b836786e514efc529d832f917bcefb46c9dacf6098274fd7ac6466e346a4b3009d8a94d9d4153f3bc3d496d1ece5cf00ad6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tt3bd13j\CSC9701CD07A81443DAB0F1D2CFA6F61D3A.TMP

Filesize
652B

MD5
937a28ac5805eb9a4289cf5088d75119

SHA1
cc1872aa65f2e2a0087b6cd874b8cc79d49e4280

SHA256
e7f02d51a1d61a2e96f0e2b00ec3a4094a2a43701043388b394d602f54fbfc53

SHA512
1fff61c94e7794468e44d1b78446a8371df08d129293825b09fe7bdbc85cd6077e5e4a8a0657745614b1913e688443a910da53fa9e15a1519b906690da58d480

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tt3bd13j\tt3bd13j.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tt3bd13j\tt3bd13j.cmdline

Filesize
369B

MD5
5e53729a5489d89edf3833da3db28966

SHA1
510b773280431801d08b920f2876273ec030b578

SHA256
49453fdd97f133e9e29e1c5349b9fd071c17f1e10f7b81e27348c014ed2beb29

SHA512
9ce30918044a4ae3544c01ec8cde550c6335ad6dcba4003afd8e18e7d635ac77d95a1336fd7edb1293522bb264619ffff283e5a3f42697cc95d94a47d4678f5d

Download Submit
memory/776-134-0x0000023B62580000-0x0000023B62590000-memory.dmp

Filesize
64KB

Download
memory/776-195-0x0000023B64820000-0x0000023B6482A000-memory.dmp

Filesize
40KB

Download
memory/776-133-0x0000023B62580000-0x0000023B62590000-memory.dmp

Filesize
64KB

Download
memory/776-135-0x0000023B62540000-0x0000023B62562000-memory.dmp

Filesize
136KB

Download
memory/776-150-0x0000023B62580000-0x0000023B62590000-memory.dmp

Filesize
64KB

Download
memory/776-223-0x0000023B62580000-0x0000023B62590000-memory.dmp

Filesize
64KB

Download
memory/776-224-0x0000023B62580000-0x0000023B62590000-memory.dmp

Filesize
64KB

Download
memory/776-225-0x0000023B62580000-0x0000023B62590000-memory.dmp

Filesize
64KB

Download
memory/4560-214-0x000002B230150000-0x000002B230160000-memory.dmp

Filesize
64KB

Download
memory/4560-216-0x000002B230150000-0x000002B230160000-memory.dmp

Filesize
64KB

Download
memory/4560-217-0x000002B230150000-0x000002B230160000-memory.dmp

Filesize
64KB

Download
memory/4560-226-0x000002B230150000-0x000002B230160000-memory.dmp

Filesize
64KB

Download
memory/4560-227-0x000002B230150000-0x000002B230160000-memory.dmp

Filesize
64KB

Download