926b7025f57dd7f37fa5e0bfd9b579921a5c9f3232e10976cc11655c56e60842

Analysis

max time kernel
72s
max time network
30s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

huzirJe7.ps1
Size

3KB
MD5

b528b6acde1fde1db170cf6a2973b9db
SHA1

e75a4930abbde02d8669362f46aa95124dae5062
SHA256

926b7025f57dd7f37fa5e0bfd9b579921a5c9f3232e10976cc11655c56e60842
SHA512

f34f5db24a0e85acd6aa4fe0633707decf03e93a7857ed87e64ef8b58c3de10ff00ca35d1302b32c21d74375d899f3a635f40b53a0cfb2f84e0ec8369a8c0458

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1716	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 520	1716	powershell.exe	29
PID 1716 wrote to memory of 520	1716	powershell.exe	29
PID 1716 wrote to memory of 520	1716	powershell.exe	29
PID 520 wrote to memory of 1096	520	csc.exe	30
PID 520 wrote to memory of 1096	520	csc.exe	30
PID 520 wrote to memory of 1096	520	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\huzirJe7.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kkd5wmq5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES515D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC515C.tmp"
    3⤵
    PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES515D.tmp

Filesize
1KB

MD5
82f525ef6e140b2d81325b1e34b548ac

SHA1
efb8412da149e339ddb7112ef046025c0de2c8b4

SHA256
e28dcb0d3a8e774852644b5ead24f10b312ad8c5122844f4f0a5c97487b40454

SHA512
66d64d62ed64805c956d89df5e4b7af9998b86f4f7894153a7fe0feef95616b0dfc872345939f0627330f53c26dea2d9b1c8893102127835ef792d86d99fbb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkd5wmq5.dll

Filesize
3KB

MD5
ac0e3b0cda96cf803bd6694476a2d2f4

SHA1
f085b2169dc443526bf1ff4fd41bd6dfb66fdccc

SHA256
f68a013070d81751d48a5388692e2b5a0ca5ac6c73ee431a8eea49c68e949773

SHA512
959f87ec3c056ba2d109978dd1ad2572b374a92d9920a34525ca3c3db895ae13f432dc8dd08287b0f6405cb88a8e921cfa3e2b8d5b995b80a1cd86657511e19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkd5wmq5.pdb

Filesize
7KB

MD5
d3332aa1f877967a14205698d869854f

SHA1
a9ab6cd632ab89e7116fe5c602a8529f684008f9

SHA256
dea81eba786ed1d06a44d9169c01a15cc9124a2e4b1bc27f1e9ae598ddb24659

SHA512
d1d2d7971b8994dba4de3f3abc51660f1af09360de8e07fca7438cae355fa5c7c1cbc4897292db68da3da8e07ac404816076c90e67b3a28f67f4f6cdd1dc6c45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC515C.tmp

Filesize
652B

MD5
494c8491dabf77073f401ad253a347bc

SHA1
045a867293bb36819706770b79ba5e1ab92877d9

SHA256
5e505322b8c3d285c0baeb77ed01fcb03e82cb279c3c16f5ea6ca4d6f4284562

SHA512
deba6ef21e54edec529d1c503000accc90347c8c5e2c7a22d35961e2e316a096d5857e3a1f10d0ba547d0c6f4bebeb65f1493943a41c999f9225ff4030786f91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkd5wmq5.0.cs

Filesize
675B

MD5
3e2a040032b75fca2a5d6e9fa22d7487

SHA1
278de94e7227bab9079d9478cf65fe276b3932d3

SHA256
c35aa6ae8d0940a03d99de26a1e271977c1e8b1c5a71f4c24885976dec3ea09b

SHA512
7bbf27a6212556a96f45a693a215767d01f26547bcfa59760558c4bf781a3b8acdb45e36dcc1bbcb6eefaeefa18700a57b6fe4595ded125299e2483be5f8d5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkd5wmq5.cmdline

Filesize
309B

MD5
753d093fe2eed8206d8a81b9ebf2d509

SHA1
d102b4666c2935388b36c6397768a1322af0c3e8

SHA256
7de89db690cb4313884ab6ecb5d07fa605daf266ebad07916e8e895f822b18a3

SHA512
5a1bbed4fe40720f1ea7219f6c64ee57b29a6f4ef99147e9e9a8155754c5be766569b7ff109bb1c8990f29c10e9e7757fe9532aaf1237034cc2bc04587865339

Download Submit
memory/1716-68-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1716-65-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1716-58-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1716-67-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1716-66-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1716-77-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/1716-59-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/1716-80-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1716-81-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1716-82-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download
memory/1716-83-0x0000000002450000-0x00000000024D0000-memory.dmp

Filesize
512KB

Download