ea0336971fd9a9bcc0fa55841786fefabf218ec73f44b2cb30ba8800077cb67d

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qAZ4uuQt.ps1
Size

3KB
MD5

bb329126116c33d4106f5384c94e356b
SHA1

1cb6e85cd1399ff101a40166c152bfdfb6cedaf7
SHA256

ea0336971fd9a9bcc0fa55841786fefabf218ec73f44b2cb30ba8800077cb67d
SHA512

9b3c5b4240e52596c05c9903f9df94dbeef369e817b79925c2e9f2cfb554254816af4a87508b51716a9a3488cd392de8e8cfdfcc273ca26cfd1bc6a7ff1f12b5

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2360	powershell.exe
2360	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2144	2360	powershell.exe	86
PID 2360 wrote to memory of 2144	2360	powershell.exe	86
PID 2144 wrote to memory of 520	2144	csc.exe	87
PID 2144 wrote to memory of 520	2144	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\qAZ4uuQt.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qq1dfxrl\qq1dfxrl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9242.tmp" "c:\Users\Admin\AppData\Local\Temp\qq1dfxrl\CSCD10D4BCF6674462DAF99C44BDDF96DBC.TMP"
    3⤵
    PID:520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9242.tmp

Filesize
1KB

MD5
c36701078804e5f7492669172791b160

SHA1
70116473408657464c09cf976b7ceb040981e86f

SHA256
72f082746d00c90928bf13d58b519fc4cf85f4d3719370329708aece7507d1fe

SHA512
9d8e322c173e8b8d19dbe6f3072a3919e3a3e5b87ffafa399631d7cbb3b450e91fcbcbf3da04f9b58b86b95e4defb854fea88392348182e02ff098f02dda8283

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dat4zx3.xpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qq1dfxrl\qq1dfxrl.dll

Filesize
3KB

MD5
ced1cb3ef443c3b7dae671f77653d729

SHA1
209b58d332b30c50c7498f05c870af8814ba1123

SHA256
8ccabe382c3d326bde1d568d7276c1ec0f7b50f03f167d950edf8a1e08ebfd06

SHA512
d89f1fae0ed500ee485a0f7527b5707a4270ab5cc0f550ece460ff28039a06dbcdf87156632f414b6bf230878723ce4604750ef44287943839d6c80b21846384

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qq1dfxrl\CSCD10D4BCF6674462DAF99C44BDDF96DBC.TMP

Filesize
652B

MD5
fbf277c2bed740ba0b31dfc3b625bfc4

SHA1
2e974ae2fb89039dfe486f2a01e83836f25d624e

SHA256
c73b66475c19081da1ec2447aec24ad6ccdc99fb6c772ba6422b6401b2c8b6b1

SHA512
35a5a6b98e9db766f26d390d9ddaaa1e14f106c1bfc257d60bd66a3ff31aecbe351ac9b889c0f91a29e98edcdab535a031c853229a13c7e80a2a43a81fa0f3bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qq1dfxrl\qq1dfxrl.0.cs

Filesize
675B

MD5
61a7afcfb915aa8b873e11a8494b0f2e

SHA1
893ce0a14d8cc37c7266425a5c05d358f0c2c7d3

SHA256
fdd65a6b830b7e3ab5d114f9f9aa5bdf4e47bbf0ed784389b6d6fd454c708470

SHA512
2c8d4dedc6ac8ce594ae06696fc1a23fb9ab4eee04168663ef24dc1092d29f3145c782e02e49f9e6562877ead1ec596873fb623679691b824a07db0c71e5c46d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qq1dfxrl\qq1dfxrl.cmdline

Filesize
369B

MD5
b00b1d1d51cc7132301f608175baed69

SHA1
e8c7f52bfdb5c5c421923845ea07c24c1ef67983

SHA256
38ed60bd1c29c48ad185c51599143f2003756408ebf7bc41b2e9978d7b10da07

SHA512
9ae8005972df11d7ba55af50cd3d6e4b2dc81117d95d609d25b0f5038928e87b821423a11c90936862d4862f060b3937bd04ab9f11ca813f24b998de80726113

Download Submit
memory/2360-150-0x0000023FC8B80000-0x0000023FC8B90000-memory.dmp

Filesize
64KB

Download
memory/2360-149-0x0000023FC8B80000-0x0000023FC8B90000-memory.dmp

Filesize
64KB

Download
memory/2360-148-0x0000023FC8B80000-0x0000023FC8B90000-memory.dmp

Filesize
64KB

Download
memory/2360-157-0x0000023FC8B80000-0x0000023FC8B90000-memory.dmp

Filesize
64KB

Download
memory/2360-158-0x0000023FC8B80000-0x0000023FC8B90000-memory.dmp

Filesize
64KB

Download
memory/2360-142-0x0000023FB0630000-0x0000023FB0652000-memory.dmp

Filesize
136KB

Download
memory/2360-159-0x0000023FC8B80000-0x0000023FC8B90000-memory.dmp

Filesize
64KB

Download