0a38ca5cce132728238e773ce5f8081d1a6813dec414995916ea6b878fefa2f6

General

Target

ry7z6DrU.ps1
Size

3KB
MD5

1bc07f77fba7a85aaef20997a8f79f60
SHA1

26c898f7018c29f7b72c9db413f09afdc453c889
SHA256

0a38ca5cce132728238e773ce5f8081d1a6813dec414995916ea6b878fefa2f6
SHA512

c3197e0a9a5ffbea19e3a9e2bfd46d7fb50074ff8d00354498f322ae17dba83a19f826095de38405ed59cd17eed5b06ead2c5d550e150354c79bfd065b96622c

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.mail.com
Port:
587
Username:
[email protected]
Password:
Dung@@0931817708

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
60	4896	powershell.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{473C50E8-849D-447B-A702-68273489C0E9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{47AD8E2D-EA2E-47D9-9F6C-CCB62E45E440}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6CE0C391-75DC-4801-9366-EC389792FBEB}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7D655676-4F51-4672-8E6F-9486DEE58008}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1EBB3630-CDE3-496A-9FF9-8BD2E8310037}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AFE433D7-0EC1-4582-8241-6888CA3ABBAE}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{76F10DD1-D099-44C4-969C-5090399A3529}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F028FEB9-F7F4-486E-9588-35D2D6D95910}.catalogItem	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4896	powershell.exe
4896	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2620	4896	powershell.exe	84
PID 4896 wrote to memory of 2620	4896	powershell.exe	84
PID 2620 wrote to memory of 4856	2620	csc.exe	85
PID 2620 wrote to memory of 4856	2620	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ry7z6DrU.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y5zrczco\y5zrczco.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DEF.tmp" "c:\Users\Admin\AppData\Local\Temp\y5zrczco\CSCC1A54925AFE9447EA2D6982CD4E540EE.TMP"
    3⤵
    PID:4856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:4424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7DEF.tmp

Filesize
1KB

MD5
cdc10f6a3499fa29330743782e46c344

SHA1
694704354165c6cf2f1453a0875adcd1c4557192

SHA256
950c1cf76b7d502603736da57bf9113e9b7a95efa55422cb40b6d0126366fc4e

SHA512
e3a5313976ff6a7eb9a12d5553cf116ae8602cdcf91de4b2429e98c51a0baa566d3db45ddea411c44bc95c5d0da11294c5d026258e75cf369b91a6e093cee5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smszen5a.gy1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5zrczco\y5zrczco.dll

Filesize
3KB

MD5
1909a333dead572aba972551bd74981e

SHA1
73eb0bd25533bc4afbeef59bfeaaf3b7665f4c6f

SHA256
f4eb48185987fd56b7c8fa7b95ca3c488ff066a8eccb3d0c0425d227b7d3a47f

SHA512
caf5ff475b153825671f8c45c352dc3755df3266a4c42c7ccd9da7d435bf8982ef70d3211b910e066ae9647e1bce65aae0a04f9e42a8d0b91ff1e58f5799edac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y5zrczco\CSCC1A54925AFE9447EA2D6982CD4E540EE.TMP

Filesize
652B

MD5
06f96fb6ab16bb3448b7b83d13813f2e

SHA1
f7b9f66b340f4116da32c53a17e22217eb127d5d

SHA256
c228b16e2315d46d5f2ec388166f6832492b026fa6fafbe1cb4108fd22da0198

SHA512
8c85dd382bfc9091bd2b817b458d09404b60f870d4f311005e92b29e9f522301b45d5f378156859e04cecd73901ebf6caf71124bfa720e33f7455de3d941e05e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y5zrczco\y5zrczco.0.cs

Filesize
675B

MD5
3e2a040032b75fca2a5d6e9fa22d7487

SHA1
278de94e7227bab9079d9478cf65fe276b3932d3

SHA256
c35aa6ae8d0940a03d99de26a1e271977c1e8b1c5a71f4c24885976dec3ea09b

SHA512
7bbf27a6212556a96f45a693a215767d01f26547bcfa59760558c4bf781a3b8acdb45e36dcc1bbcb6eefaeefa18700a57b6fe4595ded125299e2483be5f8d5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y5zrczco\y5zrczco.cmdline

Filesize
369B

MD5
caf82fa9afb8a54931573de4dfb28e5c

SHA1
0bfdffada121d317d889db229b4866f8a326f84d

SHA256
17c14233847f71bb3247dbd6bf2ecd5888c973ea5955a4640980ba2df9bfb546

SHA512
36a625250b9f4c9feab8b6498af841a561a231d15c0b30f91867282c8d1e2ae4b28eb2f3c455e7f2730730a446b3da1bbe86b9fbca39fa9e2d589d24d764c7ea

Download Submit
memory/4896-145-0x0000013DD2930000-0x0000013DD2940000-memory.dmp

Filesize
64KB

Download
memory/4896-144-0x0000013DD2930000-0x0000013DD2940000-memory.dmp

Filesize
64KB

Download
memory/4896-143-0x0000013DD2930000-0x0000013DD2940000-memory.dmp

Filesize
64KB

Download
memory/4896-142-0x0000013DECED0000-0x0000013DECEF2000-memory.dmp

Filesize
136KB

Download
memory/4896-159-0x0000013DD2930000-0x0000013DD2940000-memory.dmp

Filesize
64KB

Download
memory/4896-161-0x0000013DD2930000-0x0000013DD2940000-memory.dmp

Filesize
64KB

Download
memory/4896-160-0x0000013DD2930000-0x0000013DD2940000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing