0d75f5b0c83ef7d4912e4617fadc241a74668b1a1e051ef1d80000c2a6781516

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

native.ps1
Size

468KB
MD5

b481639a67ced954fe6f6bf6222b6725
SHA1

ffa4e250d8467bf90cdb964723ccf2eec453eea5
SHA256

0d75f5b0c83ef7d4912e4617fadc241a74668b1a1e051ef1d80000c2a6781516
SHA512

93fb31068105f85ba97d960512a107ed0169ce534993b827f4e2c9f3beddf6d06431abb71f268bbf5c99c9a5d4c434d71044cc9e13d2cb7053d54014c03a7b71
SSDEEP

1536:2x1lQi80WOq1Q6QoMkrBsYKj6CLqkJ6SF8EQBeNyI7dxj8xrfxG/xz/xqk/x1USX:XzfOK8fRIul

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2020	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2752	2020	powershell.exe	29
PID 2020 wrote to memory of 2752	2020	powershell.exe	29
PID 2020 wrote to memory of 2752	2020	powershell.exe	29

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\native.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kw8geik-.cmdline"
  2⤵
  PID:2752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Users\Admin\AppData\Local\Temp\kw8geik-.0.cs

Filesize
468KB

MD5
9c19fd4e674c6af326807882349cb34b

SHA1
11fe47de1eefd5db10421cf1626f7e8315dc5745

SHA256
f6251bc1a0c17cf6201f0f71b72a2ab257e91716b04951b48dcc5a7231b3ba01

SHA512
d0dce83af3f1ac7543a08de9844ba6d3e66ff9cc2fe945716e76e76e520d138c504c8fcb4d559951a6d54a830ad567cce79e222a7fe5e047758a125c78532b23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kw8geik-.cmdline

Filesize
309B

MD5
f6dc01232e93dce58b75c92b72ec2697

SHA1
17b2beb79afdc985427dfe6aa85d04547a3d69c3

SHA256
98e7f408d8e0b5bdfb627225fbe9cc2141110449d70c8d6b3d11df9b2e8c5829

SHA512
ad90d59fb1e74db7064fbc602a2690e802acbd486ed07eb99beb356aedcdcc23e1ffeb2bef83c11b559bb4bba3c8bae1e6518a86761119a79b1635bd08bd8502

Download Submit
memory/2020-4-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2020-6-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2020-5-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2020-7-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2020-8-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2020-9-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2020-10-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2020-20-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download