602160803e99b9fe3005512d4d15d95b3f144c0ae2a03bb9d5e67dfa5a8ac170

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MENzMPst.ps1
Size

3KB
MD5

eb01efdab1d04d64efe17e6f61cfdbcc
SHA1

21e09ccb4b96d9aa643eca5b90a4fdef3e2ef1b2
SHA256

602160803e99b9fe3005512d4d15d95b3f144c0ae2a03bb9d5e67dfa5a8ac170
SHA512

47b15ee7843be7bf45f0de6c007230d5498831af5c33d07197776eadf4375b280b52d6cee98696a26856a42b3a4eb6a5032f35fd8ca9cd5b80b74884d415a691

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
60	668	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
668	powershell.exe
668	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 1424	668	powershell.exe	86
PID 668 wrote to memory of 1424	668	powershell.exe	86
PID 1424 wrote to memory of 3660	1424	csc.exe	87
PID 1424 wrote to memory of 3660	1424	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\MENzMPst.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\getpl5in\getpl5in.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6815.tmp" "c:\Users\Admin\AppData\Local\Temp\getpl5in\CSCB47CA092BF7946668E4CB32636B96E.TMP"
    3⤵
    PID:3660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6815.tmp

Filesize
1KB

MD5
d67cc763531fb73e8f572b9f9df61053

SHA1
fabceb8e1de837c146930be1735f91094db899f7

SHA256
52b943a77e38651b1cf1579f731094b3f3faab3e1b7883c493f6eebfee261351

SHA512
e850d34d0e51fa4d65a3b5ba2d3f25cfa77e1e8f1d9d9081d09ed1953a2827a81657aab01bc5d6ee810fce763de71c145700d039da422e8ad086f21d14ac9f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1ihotm4.zqr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\getpl5in\getpl5in.dll

Filesize
3KB

MD5
6fea51184338da7c4da603667e0c12f6

SHA1
7221fd260f826d044b0c4bc0b8ddbbcc49bf6c7c

SHA256
422327e6853c5dbb2b563e348e9fa84fd73292c18fe46c4d65cad3155457d94c

SHA512
1c9a5ba03c6fefa3080bb4122828f2286595987724b733a37ae31777b76d698f1c4b0c63acd69633beef519b3a4fbf0ecca11acbf41a612fc30e3f3198527f9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\getpl5in\CSCB47CA092BF7946668E4CB32636B96E.TMP

Filesize
652B

MD5
5520ffde8e4c76fe9e454bf4be98fba5

SHA1
5e11c81b89aed28cab9e5adc4f97f2247947522b

SHA256
89a2ec254522fff3078b12ff777d9ec90a7af68e2b7ff4656f29f9e23bd7bf9d

SHA512
936ce7a5c33a07ab786c23256ed3d5621d12a0415f84d1c069cbebe5fac4b0724667298b1c060cd88661f512e1071689b0b4a0b3cd83c730a959bffddff94182

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\getpl5in\getpl5in.0.cs

Filesize
675B

MD5
3e2a040032b75fca2a5d6e9fa22d7487

SHA1
278de94e7227bab9079d9478cf65fe276b3932d3

SHA256
c35aa6ae8d0940a03d99de26a1e271977c1e8b1c5a71f4c24885976dec3ea09b

SHA512
7bbf27a6212556a96f45a693a215767d01f26547bcfa59760558c4bf781a3b8acdb45e36dcc1bbcb6eefaeefa18700a57b6fe4595ded125299e2483be5f8d5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\getpl5in\getpl5in.cmdline

Filesize
369B

MD5
69aeb4f0b7949e015f566951fdaaa44d

SHA1
02c225e64371123e2996583aba812550ba7cf8dc

SHA256
f9f8198f89b78a40252ec5429c71dac791e2171027825e4d6b2bc9df0abdebbc

SHA512
08417db7f9f1826f1a4633990e84f63b8693f5c60ac8ca8cfbe52b87e947afeb38f3caa13291b16a6fea52c91667ac9cf2c0dfd39221db7a6ec4096c28249b72

Download Submit
memory/668-144-0x0000013744FB0000-0x0000013744FC0000-memory.dmp

Filesize
64KB

Download
memory/668-140-0x0000013744FB0000-0x0000013744FC0000-memory.dmp

Filesize
64KB

Download
memory/668-139-0x0000013744F10000-0x0000013744F32000-memory.dmp

Filesize
136KB

Download
memory/668-157-0x0000013744FB0000-0x0000013744FC0000-memory.dmp

Filesize
64KB

Download
memory/668-159-0x0000013744FB0000-0x0000013744FC0000-memory.dmp

Filesize
64KB

Download
memory/668-160-0x0000013744FB0000-0x0000013744FC0000-memory.dmp

Filesize
64KB

Download
memory/668-161-0x0000013744FB0000-0x0000013744FC0000-memory.dmp

Filesize
64KB

Download