602160803e99b9fe3005512d4d15d95b3f144c0ae2a03bb9d5e67dfa5a8ac170

Analysis

max time kernel
61s
max time network
34s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MENzMPst.ps1
Size

3KB
MD5

eb01efdab1d04d64efe17e6f61cfdbcc
SHA1

21e09ccb4b96d9aa643eca5b90a4fdef3e2ef1b2
SHA256

602160803e99b9fe3005512d4d15d95b3f144c0ae2a03bb9d5e67dfa5a8ac170
SHA512

47b15ee7843be7bf45f0de6c007230d5498831af5c33d07197776eadf4375b280b52d6cee98696a26856a42b3a4eb6a5032f35fd8ca9cd5b80b74884d415a691

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1168	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 332	1168	powershell.exe	29
PID 1168 wrote to memory of 332	1168	powershell.exe	29
PID 1168 wrote to memory of 332	1168	powershell.exe	29
PID 332 wrote to memory of 1904	332	csc.exe	30
PID 332 wrote to memory of 1904	332	csc.exe	30
PID 332 wrote to memory of 1904	332	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\MENzMPst.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c5bstlmn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC30.tmp"
    3⤵
    PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES41.tmp

Filesize
1KB

MD5
9e49ec77214ae3114b8802644ba55f29

SHA1
ca81e21045e79324c91cd7d86d79357acc4f16b4

SHA256
cbedc50fd76bb32e8b18e95871165b0c56da54d578549348fdc89e936c031978

SHA512
9e7d6d317e7c6b5d313454373f3068060663d01489ad1523f602cb23967368dcfb148b27f3c2e897a05c60802b521915a1028e92b11f98557fe32a172e975824

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5bstlmn.dll

Filesize
3KB

MD5
5016181f712da1bfcce6f1f00ca4b9ff

SHA1
53730b4057db5b794a72eb32a5aee721f82a3ec1

SHA256
12dd7abe5594b087bd2e810c1266c3ea18bdcd8fa716b946a381849007f09140

SHA512
4efd6102b83978305052591b915817ba713c9999d7abf2642c9729577b73ea1f49243174fc550b1e1fd9be6081fc6b3afb9742fd285a1f7628247e1e899f4ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5bstlmn.pdb

Filesize
7KB

MD5
037a185a21420ac918cc0bdfa54fd8bb

SHA1
4249bfdd72be3abc150efec21ddb995d90b66c01

SHA256
20f659b3b9f022eec470fc37a790081903896905ba7dc4c7b26051f18fc93109

SHA512
412b4046c234c1390ee803ba7a7285213f03778e4c7aa5318e8f19b7d0f9fce7645a777c888aa4ba4b88785232bfe70a2b96dbb8b7d204f7d304b3d1d705a20e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC30.tmp

Filesize
652B

MD5
8375bc9a312570034fcd7c8bb9bb922d

SHA1
9eda120e368b077734babd59867147d87dd686a8

SHA256
f5d7ad889a49522ae07b62d2a5f7a19ccceb0bd9ab7a0b67e4bf485030d01853

SHA512
e0d9ba47d649b640daf658593ca6748c7ec4470167e129c0f6d9b850740fc6d35be8f1ded94fe8e57c26f0cfb70594b078d5af688143986c23a9b4587089e879

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c5bstlmn.0.cs

Filesize
675B

MD5
3e2a040032b75fca2a5d6e9fa22d7487

SHA1
278de94e7227bab9079d9478cf65fe276b3932d3

SHA256
c35aa6ae8d0940a03d99de26a1e271977c1e8b1c5a71f4c24885976dec3ea09b

SHA512
7bbf27a6212556a96f45a693a215767d01f26547bcfa59760558c4bf781a3b8acdb45e36dcc1bbcb6eefaeefa18700a57b6fe4595ded125299e2483be5f8d5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c5bstlmn.cmdline

Filesize
309B

MD5
606ab0cda7503a1b3b721d942ab838f8

SHA1
c87a157a97e777eeb9d62cd8c1bd3d926244ca51

SHA256
761ed4c78d5369f8f2c89f49f846e4e72132b62f0f398d740d3456e74a191baf

SHA512
36874b6c5f82bb0e492bd1caa13990a9a350805534f83d4c12c1b89c696008bb22e1afd4e112932031cfc9d83880856241363302ceba2b99e0e80b8a69366f43

Download Submit
memory/1168-75-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1168-73-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1168-58-0x000000001B060000-0x000000001B342000-memory.dmp

Filesize
2.9MB

Download
memory/1168-74-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1168-78-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1168-59-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1168-79-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1168-80-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1168-81-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/1168-82-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download