070b622ce54ed30e5e87d1758d3d647793d0d46ca7a1c0d2fdbfd4604cd94735

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cbd3367e9d97b4b6952dc5d8b3de833bc0fb3d52485df4f0d93f27679569b85.ps1
Size

25KB
MD5

e590bc2756b965a48b729962829fea09
SHA1

67732e9f976788ce3d52fb09143e4e3942e76d7e
SHA256

5cbd3367e9d97b4b6952dc5d8b3de833bc0fb3d52485df4f0d93f27679569b85
SHA512

a26f760a7e04f399ebb01f3cb4d5a899124b20a1669601da94ce7dca9089bb0bdb670d2698bf8a0009961cb92aff931728ee17b1d1d1882699a3d9aa009740bb
SSDEEP

192:b28r3hgbnSSRxnuXicmwrnR+O+6SG472EaaR1jykdxKwafZjNTSNTmHypsDu5pWO:jqhCaJdm374EF1eaNlzXk

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3444	powershell.exe
3444	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2608	3444	powershell.exe	85
PID 3444 wrote to memory of 2608	3444	powershell.exe	85
PID 2608 wrote to memory of 1008	2608	csc.exe	86
PID 2608 wrote to memory of 1008	2608	csc.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\5cbd3367e9d97b4b6952dc5d8b3de833bc0fb3d52485df4f0d93f27679569b85.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rribgtk4\rribgtk4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EF2.tmp" "c:\Users\Admin\AppData\Local\Temp\rribgtk4\CSCBA70086E8D24E95A9A3EAE3CA7077F.TMP"
    3⤵
    PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8EF2.tmp

Filesize
1KB

MD5
6fd63a90902a1b909dfeb79d413aabc7

SHA1
a5f0ef202e6315d14be67ed8766c1b128676a6d7

SHA256
45c17e11ef459d5861b562a3f3c4e2d300e37206fcbbd3b00679129c9e40ddd9

SHA512
80af46316121c0609ef446a9dfa9b33deee860413d9b982342a2c6de7fdfaf7a358cb88db2b7fdfb5b38ae7a9a6d249e52aa26b469fdd8c6868940913c51bac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrcryurw.jva.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rribgtk4\rribgtk4.dll

Filesize
3KB

MD5
ac2e246a9c7186bcad98eb693cccecbc

SHA1
59bc8c654edc9f5ab573e48f1f7de59f71a26981

SHA256
35919ef786a1f42f038a77ffc74f1205bf9e63fc6b2df7cf2100f8852e808679

SHA512
4f15b6cce9fcb57876e656f88c3b27d80065a17b61ca86536478da77869560f31db20bc2a614e1b9cc01c0776b6ccf6cc99d89a56edd559eebb2a6babd4f907b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rribgtk4\CSCBA70086E8D24E95A9A3EAE3CA7077F.TMP

Filesize
652B

MD5
2bf5f96745886795dafa10af43ec5c03

SHA1
53d1f8dd4905eb6c18025599eae567712c733dd7

SHA256
50f373c622b1c8780de90f4dad075d0695167697e6099366e74e71c78438e1ff

SHA512
f4ad2955db3d088f7bcd7902c1fb68e4eb2ee1fbb8f93665c44f7b3d79d15c08a1d12737cdfc576fc4e286bfe6a836a7ffba0fbb9deb7b1687990fd93cd107ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rribgtk4\rribgtk4.0.cs

Filesize
549B

MD5
90edeb819828bb3130f90998aa0cfbc4

SHA1
f5f1576d234ef7c2dd42f61a730d6df22b234e76

SHA256
47a4699e8a17a788311a9b50e2195eb9d06967c9f243e1099b7955eb2a560631

SHA512
da53da9ae6bca63c4e6fc29ce0b811f6644941396cea992b2e2d5d968a6f2fe499d505540f8baa657eac2c1c05d0d322561036d5e9fe5d7fae04487b581f2ec0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rribgtk4\rribgtk4.cmdline

Filesize
369B

MD5
3227ad7a709a99a438bb861103624902

SHA1
ab37c4abae3b3e186d456b3a8de3e8d1c83b5be5

SHA256
a69c01e7e9742b800d8e7f34d0b6fb466d19551df32ab1e68e5b56186630f4a4

SHA512
a9adb2b865994e0d6cb1734cff52b4bc65e642e8f9c97d79ee1c2853123241e55dad5a01998209ecf8318343391b4387da9137376b2102e8a7c9cdd6a7737654

Download Submit
memory/3444-138-0x000001F014C90000-0x000001F014CB2000-memory.dmp

Filesize
136KB

Download
memory/3444-143-0x000001F014D80000-0x000001F014D90000-memory.dmp

Filesize
64KB

Download
memory/3444-144-0x000001F014D80000-0x000001F014D90000-memory.dmp

Filesize
64KB

Download
memory/3444-145-0x000001F014D80000-0x000001F014D90000-memory.dmp

Filesize
64KB

Download
memory/3444-159-0x000001F02DF50000-0x000001F02DFA0000-memory.dmp

Filesize
320KB

Download