0a38ca5cce132728238e773ce5f8081d1a6813dec414995916ea6b878fefa2f6

Analysis

max time kernel
62s
max time network
33s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01/07/2023, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ry7z6DrU.ps1
Size

3KB
MD5

1bc07f77fba7a85aaef20997a8f79f60
SHA1

26c898f7018c29f7b72c9db413f09afdc453c889
SHA256

0a38ca5cce132728238e773ce5f8081d1a6813dec414995916ea6b878fefa2f6
SHA512

c3197e0a9a5ffbea19e3a9e2bfd46d7fb50074ff8d00354498f322ae17dba83a19f826095de38405ed59cd17eed5b06ead2c5d550e150354c79bfd065b96622c

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 588	2008	powershell.exe	29
PID 2008 wrote to memory of 588	2008	powershell.exe	29
PID 2008 wrote to memory of 588	2008	powershell.exe	29
PID 588 wrote to memory of 572	588	csc.exe	30
PID 588 wrote to memory of 572	588	csc.exe	30
PID 588 wrote to memory of 572	588	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ry7z6DrU.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ig5f_ibl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC61.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC60.tmp"
    3⤵
    PID:572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC61.tmp

Filesize
1KB

MD5
cc0b566ec2c9f288e616a24bf1581380

SHA1
082f4086e9e6b61b4d632c898195bdd87cece0b7

SHA256
3190054adc040a9633c6fbcc75dfdb47b71464859420020d69a35e3ce6e56ee9

SHA512
dfada497063a2424d7aee2bbb6baaeff2b0e7ce80da71518f085dab4440e682f52af783fe10272cb76dcfb823746b6cb9b8112ff539b0f3bd01cddd4e9ada7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig5f_ibl.dll

Filesize
3KB

MD5
b4e035823bbee45f33f3700dc4401c98

SHA1
a57c7b3690dbe48e4e6310fba8bf9baac0d0547e

SHA256
99332d222444a4fd5b0f0d10e5df46767b44f60a74d786193e693a449518f594

SHA512
6acb35a59ad5015c8625ca461f9ba691d4f7a50462fa1d595b6bbe0d1c5fd44004fa382c5879ae2b662d51dfcafe078c74eeb0e6b01b3d0b6668003282780677

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig5f_ibl.pdb

Filesize
7KB

MD5
6dcf2216757c4c83eb4dd4740168fa2d

SHA1
e0264b807df56d8dd1223fc8097aab065e94ddd8

SHA256
1c1c2b89ffa6a83761ac70688b96ab164579012febf84f5a0b5cdf380444deb5

SHA512
fdf3b7563c0e3843dc2470b94752034f8b4df7a662d07827ce2f07a51f61e75c093b09c978d19923794ca97cf5c24db3f57b0d6236b8548dab2d391886e92a39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC60.tmp

Filesize
652B

MD5
a476c7fdd0965b6cc0dbb19724ff64b9

SHA1
9e260cdf1ed9800d51b39f4c8709d0fdefe4600c

SHA256
d127068c72862c9d0d6994ba0f6f860bbbafae802543d5b1a8efbe3f75dabbaf

SHA512
cf8853ac1ce6b1ad05c67305631edc2331abe605877d33a049fe6bea2efe4658b0b3e100aa9c0c2406f7e55256d065d2c5123259be0723ef5b3bf3c08d9e58d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig5f_ibl.0.cs

Filesize
675B

MD5
3e2a040032b75fca2a5d6e9fa22d7487

SHA1
278de94e7227bab9079d9478cf65fe276b3932d3

SHA256
c35aa6ae8d0940a03d99de26a1e271977c1e8b1c5a71f4c24885976dec3ea09b

SHA512
7bbf27a6212556a96f45a693a215767d01f26547bcfa59760558c4bf781a3b8acdb45e36dcc1bbcb6eefaeefa18700a57b6fe4595ded125299e2483be5f8d5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig5f_ibl.cmdline

Filesize
309B

MD5
f08b3ef01b74f32abdc663b648556b74

SHA1
5ea5cd81ebbc18f3d879829e1735a4b4cd3def16

SHA256
0f52e6f269f44a7d0ed7028efb44803090c6d4baf2738e0e63f827c71cea7518

SHA512
78724b9c975e3b7839b96eb1fd1adaf868f281b5359746c1b7d03b3e6fec418da93c848db68c17035e22a89710ae63f16cc1125fe5b44fff1a60ebd1a3de0f9f

Download Submit
memory/2008-62-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2008-58-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2008-61-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2008-60-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2008-76-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/2008-59-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2008-79-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2008-80-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2008-81-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2008-82-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download
memory/2008-83-0x00000000024C0000-0x0000000002540000-memory.dmp

Filesize
512KB

Download