12973ee847edb898e705716046e6c81b86709f85a9a60a73fd17280963aba826

Analysis

max time kernel
124s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 06:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

A9BFeimw.ps1
Size

3KB
MD5

e02fc646a9299c2d8f1812327236eca4
SHA1

13712dc6272bd9e580acce92cdb9e0525c670ec1
SHA256

12973ee847edb898e705716046e6c81b86709f85a9a60a73fd17280963aba826
SHA512

3268dc87dde6611fc459e1d233566709376eccb5196781d32497ee9390847cd09c3fe3ca80b320592d7764430242fc27be5b4f0aa041dc7a0f4b5e70e817d499

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.com
Port:
587
Username:
[email protected]
Password:
Dung@@0931817708

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
58	3788	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3788	powershell.exe
3788	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3176	3788	powershell.exe	86
PID 3788 wrote to memory of 3176	3788	powershell.exe	86
PID 3176 wrote to memory of 4856	3176	csc.exe	87
PID 3176 wrote to memory of 4856	3176	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\A9BFeimw.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0r45ullx\0r45ullx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A91.tmp" "c:\Users\Admin\AppData\Local\Temp\0r45ullx\CSCF5F96E388EC94D7DB3BD1214253A074.TMP"
    3⤵
    PID:4856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0r45ullx\0r45ullx.dll

Filesize
3KB

MD5
f6434bb0a367d972c2dc232a2f723d86

SHA1
4033988347644047583a8db814bd431da4c0104b

SHA256
9f88fb629fbbc5d65d0dbb8cd0fa59f1b3f84a845e76df6ecdb94e96959d8fd6

SHA512
7f988d7e615b8c36d77df340d0d5686f7620db0afd095640ab05185520330ce5b70562bf64236d2308fcd0818ca1dbaab71c2b5de1037bae1db2d3657970e62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A91.tmp

Filesize
1KB

MD5
cdaa8d3b5594a5fef1436eb51c14dd1e

SHA1
d846294475175d37c0c0342e1255dbd7696640f1

SHA256
468ac5b97bb8f0564de4d21e4ee4c587dbf3327c7650b5c8b459fab29cadf265

SHA512
12a02f116a2f00972a9ec5771c21a46710a3b68e7f748a8c2371c849e5e2f04180c56f70818c1267e6595cf57f4bfa7f78eea55600ad9f6b3646134e9e61e65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sri5v5qk.vpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0r45ullx\0r45ullx.0.cs

Filesize
675B

MD5
3e2a040032b75fca2a5d6e9fa22d7487

SHA1
278de94e7227bab9079d9478cf65fe276b3932d3

SHA256
c35aa6ae8d0940a03d99de26a1e271977c1e8b1c5a71f4c24885976dec3ea09b

SHA512
7bbf27a6212556a96f45a693a215767d01f26547bcfa59760558c4bf781a3b8acdb45e36dcc1bbcb6eefaeefa18700a57b6fe4595ded125299e2483be5f8d5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0r45ullx\0r45ullx.cmdline

Filesize
369B

MD5
7094f6fc1f94f93b4d2b3be1869dc82d

SHA1
5b0c54bf1564f789d31a426436f40e382d442a90

SHA256
5ce7e89b94a9cc5984ccbe224d64829834ba83bdbb9f1a0ea596c7d295a1a4eb

SHA512
e30a17ce2a990d7ffbb0a3c4d4cab900296b1418107d95f0e642072039dc9b9530b49299e89a00b7961cf701c5ba82dbf50e69ad0705b7f6734b64acb5cc3268

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0r45ullx\CSCF5F96E388EC94D7DB3BD1214253A074.TMP

Filesize
652B

MD5
e5b8397c3428b883464426160721de55

SHA1
1d4fc44a784db8407969a29d437f7a8fe6cc3b83

SHA256
c1d51477aa4d7dafa957943e7c8780cba349721755fc20657e164723b580fa2f

SHA512
b3678a604fd37674ea6e605321946171c7e8e2fc6de00458edba449632765dc1881f13eb4f372cf64026d7653b45502136fcf4582dbbdf324cd71aadb5a7a795

Download Submit
memory/3788-138-0x000001566EA90000-0x000001566EAB2000-memory.dmp

Filesize
136KB

Download
memory/3788-148-0x000001566E9E0000-0x000001566E9F0000-memory.dmp

Filesize
64KB

Download
memory/3788-149-0x000001566E9E0000-0x000001566E9F0000-memory.dmp

Filesize
64KB

Download
memory/3788-150-0x000001566E9E0000-0x000001566E9F0000-memory.dmp

Filesize
64KB

Download
memory/3788-159-0x000001566E9E0000-0x000001566E9F0000-memory.dmp

Filesize
64KB

Download
memory/3788-160-0x000001566E9E0000-0x000001566E9F0000-memory.dmp

Filesize
64KB

Download