5fba92b48687b8cbaf19410ed222c6a77443bb146ffbcdf432c7d59381ca1567

Resubmissions

21/04/2023, 18:11

230421-wslxpahc47 3

21/04/2023, 17:23

230421-vylnfaha68 3

21/04/2023, 17:21

230421-vxcddaha62 1

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/04/2023, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ACMobile.UWP_3.13.9.0_Test/Add-AppDevPackage.ps1
Size

36KB
MD5

d4314b32d1a7d3622c083da53e7b62fb
SHA1

7495dbaaf794fd896560969681cb247dff2194ef
SHA256

afa90d0699ad7ee3644b74903fdfe8d3efcef216710d77594ab98a74fe1f55b9
SHA512

c64acf9a1ae326a396752365dc38e4ce255320da2a2fcdd7fc12d79a8e6e0f1147330b84c3398015e73e95fe8324622cbacb544cbb4f5b07f5a65d8b7916733a
SSDEEP

768:9qm7sDio+bTVYIBCesTW1jB0dtRKIosiBDTp329SGMacePtRJfB78r:deI1sTZRfi1d329SL0FZY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1700	powershell.exe
1700	powershell.exe
1700	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 976	1700	powershell.exe	29
PID 1700 wrote to memory of 976	1700	powershell.exe	29
PID 1700 wrote to memory of 976	1700	powershell.exe	29
PID 976 wrote to memory of 524	976	csc.exe	30
PID 976 wrote to memory of 524	976	csc.exe	30
PID 976 wrote to memory of 524	976	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grv1dnyj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES122B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC121B.tmp"
    3⤵
    PID:524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES122B.tmp

Filesize
1KB

MD5
cca55984bf6bcb552bcb8c9a8b3f828d

SHA1
b2e71f944bf81bdd19ffc04f2629fd0da235efb3

SHA256
d9fe4aec58886662ed75ad71e0f4b8f2166cbd60b8134e6b997ea5949affeaa7

SHA512
e2b3f8b9dbb63ed7cecbc19cd0296f8f6e45834f6666f5a290611f7fe18dc2e80696be34a3f6055917cbf028c043f446a69b3ba351f472ac82045a83671df6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\grv1dnyj.dll

Filesize
3KB

MD5
615801a9c8dc8158e3ef7ba5593a86af

SHA1
aa4a54a545414c5f78bd170c121cc717cf6f2846

SHA256
9afbe8c34208c532cee9b0426cefe6d7b6e27753005dfb116601e9620a7d5640

SHA512
323c9d117b8978e6f37a4cf27f3b37e4e15b347e686213da4bfd605f379c44aae3a5a9ae2a2b8aa1f2bb926225725074cd828c9558d0b7ab555dd6a0e8766997

Download Submit
C:\Users\Admin\AppData\Local\Temp\grv1dnyj.pdb

Filesize
7KB

MD5
a2d1aeeea0a422f8266acf24978a3cec

SHA1
564ee5668af2acfa2544f23fe3db46bbe80257cd

SHA256
99cd844865e7d9f5c803c518ae99e968f889653af41d22554ac86bb731fe0852

SHA512
76179cfa1a4028d8ff3c403f26644505ecc6ffc1298af45c32a3243816382036b7621919bcbef86f5de32c2bfc447b6373732e0fc3f4d5cd92dacc21cb1ed757

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC121B.tmp

Filesize
652B

MD5
15efec1fff5a8042639137b49aa7159b

SHA1
84ef96947b9037934a6fb640d234c959930b564d

SHA256
311c56ee47af0afa2a98d591cd5aad29f7eff34fc95390e440a9585b6ab6633d

SHA512
2c42eb6851b9ae59e1ec9435ac066f5cdc569d729aefa79da4542ebf82983c05c4406860eaf9180a64c3c56af06622b67c18e176ad969bef2ebdf21beee5dcd3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\grv1dnyj.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\grv1dnyj.cmdline

Filesize
309B

MD5
05536ec73bfee7395ad843907d2211b6

SHA1
c720fbc97f0f594f83b5a706b617ba0a96476952

SHA256
b307098914d37f2afbfa7d91bc48c2cbfb6fb1b93d4603029f316c85af7fef6f

SHA512
7854efcb58ac9a34f0650a0b269abc00c008be2eba942d88164194bd6270634eea5a6094edeb8b498fb5d804ff7dd480ac476e67aa90f7d06b2da7f7458ffc21

Download Submit
memory/1700-58-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1700-62-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1700-61-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1700-60-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/1700-76-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1700-59-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/1700-79-0x000000000257B000-0x00000000025B2000-memory.dmp

Filesize
220KB

Download