926b7025f57dd7f37fa5e0bfd9b579921a5c9f3232e10976cc11655c56e60842

Analysis

max time kernel
155s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

huzirJe7.ps1
Size

3KB
MD5

b528b6acde1fde1db170cf6a2973b9db
SHA1

e75a4930abbde02d8669362f46aa95124dae5062
SHA256

926b7025f57dd7f37fa5e0bfd9b579921a5c9f3232e10976cc11655c56e60842
SHA512

f34f5db24a0e85acd6aa4fe0633707decf03e93a7857ed87e64ef8b58c3de10ff00ca35d1302b32c21d74375d899f3a635f40b53a0cfb2f84e0ec8369a8c0458

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
47	4696	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4696	powershell.exe
4696	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4484	4696	powershell.exe	84
PID 4696 wrote to memory of 4484	4696	powershell.exe	84
PID 4484 wrote to memory of 3504	4484	csc.exe	86
PID 4484 wrote to memory of 3504	4484	csc.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\huzirJe7.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xj4lehpv\xj4lehpv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7AE.tmp" "c:\Users\Admin\AppData\Local\Temp\xj4lehpv\CSC36B6F52A8F904E82857673C047356361.TMP"
    3⤵
    PID:3504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA7AE.tmp

Filesize
1KB

MD5
93fc6979987d485f3035f4ba76496037

SHA1
4a2936de5ea7ec944e84294b680d2e6265ca2777

SHA256
635b687cb3a8d2205a576fac35487bc4e9f86ab6dfc390aeab985c9c37ecf984

SHA512
994a2dacc5c044f2218ca883793b7667427c0c87424fcf5fbc0735267f2f519d6e7a09687a4bf99d87894717826dbc101a5debb88a26f5256f15d3575b280dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwjsiv02.u0g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xj4lehpv\xj4lehpv.dll

Filesize
3KB

MD5
60f7d0dbf088fadba9e72d24f9ee57ea

SHA1
07529a73f346fb0212dc8bfd246c0417d8150348

SHA256
d2583a194085d9cf33b6e6157d37e962d6465ac1460850aaad729593f4f0c321

SHA512
1ed8db25f77019e8231a6606326c913df6a9dbdc4fc8af5dad422ae431c4c75e39d438551ba962512730241fff29aeb6dd39b0c73eca55d7dcb5c338d651237b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xj4lehpv\CSC36B6F52A8F904E82857673C047356361.TMP

Filesize
652B

MD5
e9ff1a5a2f69dc825da50f3ae0702ec0

SHA1
ee54a7692a9b3bfed295cb29d7543967fc8d3fd4

SHA256
ea288aa8638cf05479189b83fc2d2864636fddd9ed71de0cd0852bba3b89f82e

SHA512
ac081be5e0764cef57638b86bdbecfbc61a4e5a6160a25f0bda4f87a5957b7d255fa5cbf47490e3c6562e361e458d34aa846dc7655c3781f095360b61796589a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xj4lehpv\xj4lehpv.0.cs

Filesize
675B

MD5
3e2a040032b75fca2a5d6e9fa22d7487

SHA1
278de94e7227bab9079d9478cf65fe276b3932d3

SHA256
c35aa6ae8d0940a03d99de26a1e271977c1e8b1c5a71f4c24885976dec3ea09b

SHA512
7bbf27a6212556a96f45a693a215767d01f26547bcfa59760558c4bf781a3b8acdb45e36dcc1bbcb6eefaeefa18700a57b6fe4595ded125299e2483be5f8d5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xj4lehpv\xj4lehpv.cmdline

Filesize
369B

MD5
8f18fdfcd6dfb0c6199512da4bbbfd40

SHA1
6d3f73464e364cafc5394c5507d47f1b8480b731

SHA256
d9044aec7c7d0529c7ad2a2a1b5ead5a2c0fd60acda82b3d2924ecf20f502d10

SHA512
01bd308b9322bf0387c8133bfc3be7f4ca4fd62944bc65a200ca51ad769e8f918c54c2183d252529a29761e7570bb7f2d7efb7f79f6711b6718f4e3314ab147b

Download Submit
memory/4696-150-0x00000205FC7B0000-0x00000205FC7C0000-memory.dmp

Filesize
64KB

Download
memory/4696-148-0x00000205FC7B0000-0x00000205FC7C0000-memory.dmp

Filesize
64KB

Download
memory/4696-147-0x00000205FC7B0000-0x00000205FC7C0000-memory.dmp

Filesize
64KB

Download
memory/4696-142-0x00000205FC830000-0x00000205FC852000-memory.dmp

Filesize
136KB

Download
memory/4696-159-0x00000205FC7B0000-0x00000205FC7C0000-memory.dmp

Filesize
64KB

Download
memory/4696-160-0x00000205FC7B0000-0x00000205FC7C0000-memory.dmp

Filesize
64KB

Download
memory/4696-161-0x00000205FC7B0000-0x00000205FC7C0000-memory.dmp

Filesize
64KB

Download