c08449403abf298731d9b2c0212be126fb3811640cbea98011c1dd3d79bef126

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2023 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

takepic.ps1
Size

7KB
MD5

66f361d6a15ec91f56907fec1a7cdd8b
SHA1

f186c6eee98eb4baee0883c669427e69f6e22044
SHA256

c08449403abf298731d9b2c0212be126fb3811640cbea98011c1dd3d79bef126
SHA512

4471b41bd57cf24eaca9a01d7d21e92da3cdd399e0ebe0c6fd7f2edb41c32825086f65b51389f3217c7e65ab55d1d0dc19859c559bd3989fca747d0c8846e783
SSDEEP

96:0lpBw/zUzq/F5LFA9uq97jAqquKlPuGWRVxReI9ZQD3L5RJLLK:6GCq/FJ3q97jAxH2zLWLFLK

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	powershell.exe
2996	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3672	2996	powershell.exe	85
PID 2996 wrote to memory of 3672	2996	powershell.exe	85
PID 3672 wrote to memory of 820	3672	csc.exe	87
PID 3672 wrote to memory of 820	3672	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\takepic.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xhg0ym3p\xhg0ym3p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F83.tmp" "c:\Users\Admin\AppData\Local\Temp\xhg0ym3p\CSC9E40F2A67C14464AB29742BDFD7652B2.TMP"
    3⤵
    PID:820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6F83.tmp

Filesize
1KB

MD5
6c44bc61a723c436501b99d235562ce9

SHA1
d34c52d50b307d932b45eeb3d726f3ca6a2a574f

SHA256
430301b5d7f19885ebdd497477018a388537ef14b8a8afeee3dc637efb5d9db5

SHA512
8e5bcdbd84ad6d2f849f124e4267d259bcd8611e18db8922bcd5fc1b5f112cb40a09cbc63f5a72c9c281aacb6443a07a37250384bf72bcfba1574172126eeef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urbjoagk.3ip.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhg0ym3p\xhg0ym3p.dll

Filesize
4KB

MD5
082c5fcf6b38c05fea0006fe26a8418c

SHA1
ab6d963de63c22709f12afb63cf05007be38c0e5

SHA256
22ec2f574417c2f5415f4cbcc9b062ef1fe0a8455384e81b8c919aa2cc25ebe6

SHA512
dbf4cd7390bac3ec580f4ff33f27a1d0694a6e3c6ccb17f35e358bf9c48a6fd92607be9a5b720990808a549bd27f5a023a142190e7032f4ed067b416022032dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xhg0ym3p\CSC9E40F2A67C14464AB29742BDFD7652B2.TMP

Filesize
652B

MD5
0290094b75f13322885e80f2a0e14531

SHA1
e338699ed25310239a255153c727ea35d94c8fd2

SHA256
cd63c9811ec9233a96633c8c0752b4b47aba917fbae979956b3adef6aa390d01

SHA512
38a0ae48c11b57ea7ac02bb2e9541d2c0831e9097569cc2bb3aae90db307439765e294e97b941607266c3ac1b88c85f9db2a4e669993db8eb55e2a5c3b7f9d9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xhg0ym3p\xhg0ym3p.0.cs

Filesize
4KB

MD5
dec068b01faab0ddff3aedde79923a04

SHA1
1fd3e4290b2a0b8f966a053b4ac92781661bd684

SHA256
a724aa6fdfd62c795655d4a67ad6a527bf0b1197cbab79b0c6a50d651ec6ea04

SHA512
50bc7c44dc81a9d3168d02daf86ed015cc8547d5a0cf7eb088356c81ff9d90d3370fe58826047e906df8b0fab41b76e4cbb73c6a3c498dfbb3d214193c69ab8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xhg0ym3p\xhg0ym3p.cmdline

Filesize
607B

MD5
f57c832cd468e7c253275f515f4f20b5

SHA1
67e207fbcc4c713e85529e607aa043be45e1a62b

SHA256
93d66d2c5e17a7edf983dac795e8b4d2e52fc3baf06c4442f0cf22eccbb04987

SHA512
0a686967e4157348b112e46d073d8fd64836a79029625dd5f9aa61d6ee4b4dacdbf78b30dbfb999c4ae2199ca9e7c4c389a33eb62a1b54f46cf445a28037239d

Download Submit
memory/2996-142-0x0000021AB07E0000-0x0000021AB0802000-memory.dmp

Filesize
136KB

Download
memory/2996-143-0x00007FFA3D180000-0x00007FFA3DC41000-memory.dmp

Filesize
10.8MB

Download
memory/2996-145-0x0000021A98050000-0x0000021A98060000-memory.dmp

Filesize
64KB

Download
memory/2996-146-0x0000021A98050000-0x0000021A98060000-memory.dmp

Filesize
64KB

Download
memory/2996-144-0x0000021A98050000-0x0000021A98060000-memory.dmp

Filesize
64KB

Download
memory/2996-163-0x00007FFA3D180000-0x00007FFA3DC41000-memory.dmp

Filesize
10.8MB

Download