c08449403abf298731d9b2c0212be126fb3811640cbea98011c1dd3d79bef126

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/07/2023, 08:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

takepic.ps1
Size

7KB
MD5

66f361d6a15ec91f56907fec1a7cdd8b
SHA1

f186c6eee98eb4baee0883c669427e69f6e22044
SHA256

c08449403abf298731d9b2c0212be126fb3811640cbea98011c1dd3d79bef126
SHA512

4471b41bd57cf24eaca9a01d7d21e92da3cdd399e0ebe0c6fd7f2edb41c32825086f65b51389f3217c7e65ab55d1d0dc19859c559bd3989fca747d0c8846e783
SSDEEP

96:0lpBw/zUzq/F5LFA9uq97jAqquKlPuGWRVxReI9ZQD3L5RJLLK:6GCq/FJ3q97jAxH2zLWLFLK

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1964	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2808	1964	powershell.exe	29
PID 1964 wrote to memory of 2808	1964	powershell.exe	29
PID 1964 wrote to memory of 2808	1964	powershell.exe	29
PID 2808 wrote to memory of 2604	2808	csc.exe	30
PID 2808 wrote to memory of 2604	2808	csc.exe	30
PID 2808 wrote to memory of 2604	2808	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\takepic.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k-i4rcry.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD2C9.tmp"
    3⤵
    PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD2CA.tmp

Filesize
1KB

MD5
c86633e3878b2a4de6942dbc928ae578

SHA1
92a5c6b1fd335a0241c253466840cbbff2a9704d

SHA256
480d55ddd27ba95375f78f30c5165021e4ffc723a3ef84e747f7a0d2a4ba3fa7

SHA512
c0f5dd7141b286535e714d308592b51b2f8017630ca0f953a217edb8ad2f1d321b8994cfa628b7db2809a7163e5d8840d234c74fd285cde9b8e6e1556021a89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\k-i4rcry.dll

Filesize
5KB

MD5
0758b3e0ca898c2625a213d80c77c204

SHA1
10f97b3968f4383e87d8fb675c3ce3ed78791549

SHA256
0626adb66da2eaa169d17123ccfe681e871f9212a4b91c20ba5bf763ed366ce4

SHA512
9aeb6bde773f49321909d17fd771f0f954b891479075a7fb4bce332edd1b1fe44eb0fe2786f65ca63a3298d6ddb4e780b87e5fb9d38de35cde14b9c22abe0ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\k-i4rcry.pdb

Filesize
11KB

MD5
3927863952b4f90200e9dd22e96d2586

SHA1
288bf37065e6a4ea30dbf3578fc674e515b8b314

SHA256
322609028cecd573cab1db83a28ed114130beb17437dccd1585cd7278e6ed425

SHA512
00bfd6f034e6618aef2ba7e1c8fc70c1ea8b1476ee5fbc92e1b7f5861a18da78b64cb71ea00fdc6b94e29f7a991b610c48010ab27b447ffcbd2519dc09c89b4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD2C9.tmp

Filesize
652B

MD5
4af8e0f079d0ad494f4f8f9f6b35449e

SHA1
6b72ca1b51be88ff78569a3a0efbdd5f77379e78

SHA256
a71afc7ee41f66403b457f68176de79940bb7ba42ec4bde9f5789229ef965e4b

SHA512
217e60c3fcc6df34f96ef270991c2f38daec22b3d2a7e886a9e03cbc0b84623e22d6ff0c4c16f7eab5dfe017cc6b27f17aacda0b405e962716a9a75c45fd54a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k-i4rcry.0.cs

Filesize
4KB

MD5
dec068b01faab0ddff3aedde79923a04

SHA1
1fd3e4290b2a0b8f966a053b4ac92781661bd684

SHA256
a724aa6fdfd62c795655d4a67ad6a527bf0b1197cbab79b0c6a50d651ec6ea04

SHA512
50bc7c44dc81a9d3168d02daf86ed015cc8547d5a0cf7eb088356c81ff9d90d3370fe58826047e906df8b0fab41b76e4cbb73c6a3c498dfbb3d214193c69ab8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k-i4rcry.cmdline

Filesize
509B

MD5
f0ed8d5158dde4fd887c63a69cfe8993

SHA1
b516b2d750c0e6b3e4799d0fc42478dfb5375b04

SHA256
8537bc81163dea2c87b362f9cb034a79e2942c941bebf875bb78583c53bcbdaa

SHA512
5a00c53691f28c44550a0cf378e246dc2711ccd036da4dd10da4c0d96a67620ceedeb54c1f1824d1d84b530c987e5c33d2a46556b89ab5089e17cc636e5f7e65

Download Submit
memory/1964-63-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/1964-62-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/1964-64-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/1964-65-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/1964-58-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/1964-61-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-79-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/1964-60-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-59-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1964-83-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download