5fba92b48687b8cbaf19410ed222c6a77443bb146ffbcdf432c7d59381ca1567

Resubmissions

21/04/2023, 18:11

230421-wslxpahc47 3

21/04/2023, 17:23

230421-vylnfaha68 3

21/04/2023, 17:21

230421-vxcddaha62 1

Analysis

max time kernel
134s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACMobile.UWP_3.13.9.0_Test/Add-AppDevPackage.ps1
Size

36KB
MD5

d4314b32d1a7d3622c083da53e7b62fb
SHA1

7495dbaaf794fd896560969681cb247dff2194ef
SHA256

afa90d0699ad7ee3644b74903fdfe8d3efcef216710d77594ab98a74fe1f55b9
SHA512

c64acf9a1ae326a396752365dc38e4ce255320da2a2fcdd7fc12d79a8e6e0f1147330b84c3398015e73e95fe8324622cbacb544cbb4f5b07f5a65d8b7916733a
SSDEEP

768:9qm7sDio+bTVYIBCesTW1jB0dtRKIosiBDTp329SGMacePtRJfB78r:deI1sTZRfi1d329SL0FZY

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
892	powershell.exe
892	powershell.exe
892	powershell.exe
892	powershell.exe
892	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 1060	3772	powershell.exe	84
PID 3772 wrote to memory of 1060	3772	powershell.exe	84
PID 1060 wrote to memory of 1824	1060	csc.exe	85
PID 1060 wrote to memory of 1824	1060	csc.exe	85
PID 3772 wrote to memory of 3932	3772	powershell.exe	88
PID 3772 wrote to memory of 3932	3772	powershell.exe	88
PID 3772 wrote to memory of 892	3772	powershell.exe	90
PID 3772 wrote to memory of 892	3772	powershell.exe	90
PID 892 wrote to memory of 3908	892	powershell.exe	92
PID 892 wrote to memory of 3908	892	powershell.exe	92
PID 3908 wrote to memory of 5020	3908	csc.exe	93
PID 3908 wrote to memory of 5020	3908	csc.exe	93
PID 892 wrote to memory of 4384	892	powershell.exe	99
PID 892 wrote to memory of 4384	892	powershell.exe	99

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a1gv3pcf\a1gv3pcf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82F0.tmp" "c:\Users\Admin\AppData\Local\Temp\a1gv3pcf\CSC88A5E9E5D1D4B719970E9C6AFDA9FFD.TMP"
    3⤵
    PID:1824
- C:\Windows\system32\certutil.exe
  "C:\Windows\system32\certutil.exe" -verify C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer
  2⤵
  PID:3932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\Add-AppDevPackage.ps1" -GetDeveloperLicense -CertificatePath "C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lsxgtebb\lsxgtebb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F44.tmp" "c:\Users\Admin\AppData\Local\Temp\lsxgtebb\CSC6D9C8A61A8534261A3D3C081E944B433.TMP"
      4⤵
      PID:5020
- - C:\Windows\system32\certutil.exe
    "C:\Windows\system32\certutil.exe" -verify C:\Users\Admin\AppData\Local\Temp\ACMobile.UWP_3.13.9.0_Test\ACMobile.UWP_3.13.9.0_x86.cer
    3⤵
    PID:4384

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4376

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\APPX.ecncqgoz9tuwnb_mwpr1r7eoh.tmp

Filesize
1KB

MD5
ff363a8643bf14f5880c92ebabe873bf

SHA1
5900c9eadb831d0555ea26a77d988e60be49fd51

SHA256
4ab1dbae2e034cae492e3345d619d5b86e99db02b9b251b19f6f0f5f1dc54f7d

SHA512
906db6e23b159832d30d278c92b78fdb16df9d85a42fa6ffb14a7f059c7dfc13f83119013f44f8bcbff6027f2a40903bacc0ca5d6fa8b5b2864328bfefa75e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\APPX.ey3u_wlgsce0f1tx49e_qkugc.tmp

Filesize
338B

MD5
98dc0abbca5be2f9ce9e1816a8d526af

SHA1
b96230531a9ab54b52ecd34f2f9dad9be47ab0be

SHA256
630e77651ff6164d5fd984b4646da223027dcb42c002b3f1ea95173f3dead8cb

SHA512
7f979b21db1bd84d9709bd48d49a80ae6f7bc8315d660874e573bdbdfe66a0517a96a9135a25749545e4dd4a7c518d34a28d4cd719e4730797f7c6a8bcc472df

Download Submit
C:\Users\Admin\AppData\Local\Temp\APPX.x39h_0hxk8r0oz67atescvw2.tmp

Filesize
1KB

MD5
1e3e9426b2b7090d86c9173101be7777

SHA1
f4c6df39277e060ddf96e8431499e880a4007ca6

SHA256
626e415589b459bb1e4f44452298be280a243a92cfdd5077acb142630b653583

SHA512
ccf2a3922d35dabd196988612954d650ea70660c79418355275bed149588b1bc25e43d3a05f0693d31b3bc3387c666428fa65e625ad56010feeeb9f1a5de9c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82F0.tmp

Filesize
1KB

MD5
27ebc4c7f5c69b1e733be63ea045e063

SHA1
34533ef35fe7be7f27add1658cb32a53d2d12057

SHA256
2517138e4659dfd9ec2f51d4ba0c6c301b8efc525984de33c0330d3b12611f13

SHA512
6067dbbbcc45ace89970486c185f6f12aba87839f460a62abc9db396ee0d410f29fcd79f526246d349c2f99f1694d5a67d15b37dfb988a577faf1115ee815e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F44.tmp

Filesize
1KB

MD5
7fb6a22f061f09c16c5128de6251f01e

SHA1
848e81686488b748a8af680c0095bbe94072dc0a

SHA256
00f5e4c14febc3094a53c5bbf0cbbeb49f218ac8fe12c93bd321861364b383fb

SHA512
0c0bdc85d8336182f626490b3a5df8e0525e60d8e23b53f95d9f803cc8064a4a89822fb7558aadfd43c07bf8753e1dc8eed9f5ad531de5e44662b2bd9edbb4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3wj1qbj.ms2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1gv3pcf\a1gv3pcf.dll

Filesize
3KB

MD5
8aac506945eb8ea2f4cae967a560ced6

SHA1
17d6530c6881560e2d1c31193dc18ce4e5a802c1

SHA256
6589aafd1044d72fe963f80c05e9f72f1bb696385b734c8762d3377797a33425

SHA512
0a1672d9657bd9e50b4f26c1e2cd8c2649bbe27003018e3a3ce660cd1283e82b9592d71be06a333183feaa816a6ff46c1015b8426d2ad713b57550ba4a91d90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsxgtebb\lsxgtebb.dll

Filesize
3KB

MD5
321841fee25213eeba5e6c9dadd1a682

SHA1
6991d31269cb2ab26c946fa0bc52ff5b6ed3be67

SHA256
1851507bdbd6608e883c8d8b336b57b6caab06310147fe2bc9dec0f80a6623c2

SHA512
33dda1a59c7485c13e76ce5e8d1a32acfd66c6b91f46d7f48fd8700f42b4e6f740bd3a63044bcd7a95bf63086b592178ea229a89181a0af69c0d08c4c9c6b585

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a1gv3pcf\CSC88A5E9E5D1D4B719970E9C6AFDA9FFD.TMP

Filesize
652B

MD5
7bf54653efea2e5e6ca198222132a130

SHA1
3e163c7bbc86d60bd1479b49057a94eeb60cb0bd

SHA256
f7d16dcd20179b344e567f226e7174f161b15a2b27c9218ebf8ff3d1fda579d5

SHA512
5154239cbb4e3c8ebe9ee00b61f8d1fbf3e750c8fd745d246efc106f1480f767bda740e56a2f44be001bacf59e44d2522a4103c9bd56568e10813b39b8f0ef15

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a1gv3pcf\a1gv3pcf.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a1gv3pcf\a1gv3pcf.cmdline

Filesize
369B

MD5
8286e7e81ffc07f9c446bb473aeab0b4

SHA1
6112cf81fe9a68aec5be69248f32e1c721aaf486

SHA256
67bee1a3d621ccb10179b0f6d56c1e88e53cf3a4a382a0d59618656a2b969d2e

SHA512
6ba54a92dbe8470c83bffc146a7273ce909242a698703c7a8b2203e757c9c08fde05bdf822c8f7a923a50b7d66478df9e0c7f517a34ec4d3cc455b542f4eb44e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsxgtebb\CSC6D9C8A61A8534261A3D3C081E944B433.TMP

Filesize
652B

MD5
0373bafcd34f5726e33d5ff80b0f53fb

SHA1
2815dc8ee136926786ccd92e8162c638339ab431

SHA256
16bb67b3f68dce8031bbf13d993c5eef7dc97fb57f63aa06cf0b7310e7d0e965

SHA512
68dce386fb930941394750df34b2b3236c8a691803660f1129a97139d5e5b412a7431fbf86756b6dfd6a4d21eb797e5dd11c05c06e53c4df2327fbfcfae76083

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsxgtebb\lsxgtebb.0.cs

Filesize
282B

MD5
d625120d410db8487a294c43f3d1ee46

SHA1
0291aa75bb962ef6876e89d3775af4620b287169

SHA256
b935ab97b4b4f12b796c4cf506bb5df3b2686e327b88a8f9032dd2e641968624

SHA512
a4b62ec56858a374986e9d97621f1117d34419652c36f901533fb5835971fe153497e7ec2dc8dd8a5a0b1e26c7461fa03cd55aedec4ee439b91c197f05178921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lsxgtebb\lsxgtebb.cmdline

Filesize
369B

MD5
cf8354cd531e7410fb5ad8b37e02fd96

SHA1
caca28479e90b89a46e7f79f73cf4f3de583d5c0

SHA256
d7c5aff424577d6f4d1631ada776cf8e638b17a33a0f8e345e6c76464fae7b33

SHA512
0cb251a866cee1c6970510a0407a6efc65a176ee6a3b75d8d67852d77436a76241c0eeba868b76afde5fba93bb65cfa60b637d700673019cd71bd04ba524dfda

Download Submit
memory/892-226-0x000001756CEC0000-0x000001756CED0000-memory.dmp

Filesize
64KB

Download
memory/892-228-0x000001756CEC0000-0x000001756CED0000-memory.dmp

Filesize
64KB

Download
memory/892-227-0x000001756CEC0000-0x000001756CED0000-memory.dmp

Filesize
64KB

Download
memory/892-207-0x000001756CEC0000-0x000001756CED0000-memory.dmp

Filesize
64KB

Download
memory/892-208-0x000001756CEC0000-0x000001756CED0000-memory.dmp

Filesize
64KB

Download
memory/892-209-0x000001756CEC0000-0x000001756CED0000-memory.dmp

Filesize
64KB

Download
memory/3772-195-0x0000023F432C0000-0x0000023F432CA000-memory.dmp

Filesize
40KB

Download
memory/3772-144-0x0000023F43000000-0x0000023F43022000-memory.dmp

Filesize
136KB

Download
memory/3772-223-0x0000023F27150000-0x0000023F27160000-memory.dmp

Filesize
64KB

Download
memory/3772-224-0x0000023F27150000-0x0000023F27160000-memory.dmp

Filesize
64KB

Download
memory/3772-225-0x0000023F27150000-0x0000023F27160000-memory.dmp

Filesize
64KB

Download
memory/3772-139-0x0000023F27150000-0x0000023F27160000-memory.dmp

Filesize
64KB

Download
memory/3772-138-0x0000023F27150000-0x0000023F27160000-memory.dmp

Filesize
64KB

Download
memory/3772-145-0x0000023F27150000-0x0000023F27160000-memory.dmp

Filesize
64KB

Download