65b3da1935423095cf9f354a6221aa8c049cea0e334094766a3c6e41a080d049

Analysis

max time kernel
127s
max time network
265s
platform
windows10-1703_x64
resource
win10-20230703-es
resource tags

arch:x64arch:x86image:win10-20230703-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
14/07/2023, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PyCraft-main/fonts/install_fonts_win.ps1
Size

410B
MD5

860df99b481b4f1060af56d37963ae1a
SHA1

97b5a3f13a9b643f364cc52244eaca5697dd634c
SHA256

be9a1740101c0fc3bd5adcff57c775c290b3c138c8437d870d5da9996c44fa3d
SHA512

005505b5322556abb6389d34acce45fca4a878e39334f965e5bd5fc94bbe832a91a273966ff4c642ea54bf90c724c1df9998c00091f8163620ea590554954317

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2820	4484	powershell.exe	71
PID 4484 wrote to memory of 2820	4484	powershell.exe	71
PID 2820 wrote to memory of 1088	2820	csc.exe	72
PID 2820 wrote to memory of 1088	2820	csc.exe	72

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\PyCraft-main\fonts\install_fonts_win.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\prkczzuz\prkczzuz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA299.tmp" "c:\Users\Admin\AppData\Local\Temp\prkczzuz\CSC4AA3679D08049D8AE7831A181B3BF36.TMP"
    3⤵
    PID:1088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA299.tmp

Filesize
1KB

MD5
e92bacdad394f3bdc69ce7b6a4446f3d

SHA1
1f6dcc4fc5779278639e24feea0d603f7bb5ef86

SHA256
bc6ef55ca7b0b59939fa4a01aa439a5089f5c51f84abdd8681235870cc93cf14

SHA512
3730e860f1346fec7d8cc4e071068a96cde5bf16c64ff6c7f276b3bf1f0bdb52f248e93da454e3a4dbc26c627b31927c19dc6deadbc97017f25d2d55c5c5b71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3kcndgf.n01.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\prkczzuz\prkczzuz.dll

Filesize
3KB

MD5
2c5f9d4885b3ce917fa910528f06c4c6

SHA1
201075e586b4b383aad76b2c400238eb9513aac8

SHA256
455b60864b43154542e92b43432c371463bdffe3365531770de28ab66f49fd8e

SHA512
02f35b44654770673f8b92d643b1642b89516e3142d521350215a6a06d70d7dbd06664cd9e58fbc2dfa84b4e9b366679e0ed55a325314d22c5983196630cea17

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\prkczzuz\CSC4AA3679D08049D8AE7831A181B3BF36.TMP

Filesize
652B

MD5
3a124727b1fe65b71b3af0ed7993b8b4

SHA1
cc1c49623610dec7cc6c7dcf7e7ed3acfbb11170

SHA256
a1ae04e33d209b41961000c433cabf4148bf03374820abccc57f361a39083a45

SHA512
c0b1dd7a73937061fcbcd67315cc3bf4550246f8fac6e18af1fbd3f4077da87c92f17264ba0dd1cf593fc416148b8ad25cf5e38af5449f1adbffa269ae87ac4b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\prkczzuz\prkczzuz.0.cs

Filesize
239B

MD5
dce9d5308e83b15dc75efbd5c75407c1

SHA1
72f170008426b57dcef2acb1148e9be6565e236e

SHA256
6982981cc4bb39282813c0186120bbd020969865961667db9b010bc6cad03223

SHA512
740ca61dc2d8373fd2cc548125948a140516020cb52ada909ae661db4ea5a69bdc0c1620b4f97ea5be3ba7718866f6b8a57ede9a433807a88a1c382b2fbb66f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\prkczzuz\prkczzuz.cmdline

Filesize
369B

MD5
beb84db961d66c822bac71403a936000

SHA1
6fdee478c837e0b554dec38a29c65b52cf53fc0e

SHA256
a1c728424dc7b2c90c1bfe66de70aa75f06f61d544588958cb729c0e718bbf02

SHA512
e65ce1f8f3edafd197b1eb6350a67a6532a364461a328e75e5dc21aa40efe0a67a9c6f16b85d061a83b53e7c86763d13596212978d71a0a5c2f496f07a98c84f

Download Submit
memory/4484-127-0x000002C2C8C10000-0x000002C2C8C20000-memory.dmp

Filesize
64KB

Download
memory/4484-126-0x000002C2E1520000-0x000002C2E1622000-memory.dmp

Filesize
1.0MB

Download
memory/4484-123-0x000002C2E1320000-0x000002C2E1330000-memory.dmp

Filesize
64KB

Download
memory/4484-130-0x000002C2E16B0000-0x000002C2E1726000-memory.dmp

Filesize
472KB

Download
memory/4484-121-0x000002C2E1380000-0x000002C2E1402000-memory.dmp

Filesize
520KB

Download
memory/4484-125-0x000002C2C8C10000-0x000002C2C8C20000-memory.dmp

Filesize
64KB

Download
memory/4484-122-0x000002C2E1340000-0x000002C2E1362000-memory.dmp

Filesize
136KB

Download
memory/4484-124-0x00007FFD5DE90000-0x00007FFD5E87C000-memory.dmp

Filesize
9.9MB

Download
memory/4484-157-0x000002C2E1370000-0x000002C2E1378000-memory.dmp

Filesize
32KB

Download
memory/4484-160-0x000002C2C8C10000-0x000002C2C8C20000-memory.dmp

Filesize
64KB

Download
memory/4484-163-0x00007FFD5DE90000-0x00007FFD5E87C000-memory.dmp

Filesize
9.9MB

Download