0d75f5b0c83ef7d4912e4617fadc241a74668b1a1e051ef1d80000c2a6781516

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

native.ps1
Size

468KB
MD5

b481639a67ced954fe6f6bf6222b6725
SHA1

ffa4e250d8467bf90cdb964723ccf2eec453eea5
SHA256

0d75f5b0c83ef7d4912e4617fadc241a74668b1a1e051ef1d80000c2a6781516
SHA512

93fb31068105f85ba97d960512a107ed0169ce534993b827f4e2c9f3beddf6d06431abb71f268bbf5c99c9a5d4c434d71044cc9e13d2cb7053d54014c03a7b71
SSDEEP

1536:2x1lQi80WOq1Q6QoMkrBsYKj6CLqkJ6SF8EQBeNyI7dxj8xrfxG/xz/xqk/x1USX:XzfOK8fRIul

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2940	2160	WerFault.exe	45

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2160	powershell.exe
2160	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3956	2160	powershell.exe	85
PID 2160 wrote to memory of 3956	2160	powershell.exe	85
PID 3956 wrote to memory of 5044	3956	csc.exe	87
PID 3956 wrote to memory of 5044	3956	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\native.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jdkmbcd\5jdkmbcd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3D1.tmp" "c:\Users\Admin\AppData\Local\Temp\5jdkmbcd\CSC783804826A294C92A82C28942A450F1.TMP"
    3⤵
    PID:5044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2160 -s 1636
  2⤵
  - Program crash
  PID:2940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2160 -ip 2160
1⤵
PID:4768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5jdkmbcd\5jdkmbcd.dll

Filesize
97KB

MD5
d6982c47949e4e00e1d77121723d3de4

SHA1
d9d5d93f9ac433d3ed7693d98c48f016cbf6fec3

SHA256
1e9852a46136dc222f0ab42eac5c81e24800e20b0b673ef6d6e98140f5fea274

SHA512
b2e2624b23cf0c89cd8b9aa11c29affc65ed5e7186ace0b1354df215a148949c2bc55d7289f2f915b2ce1155d21fb7bdbf808b957759ebf43ff7f71bd94be371

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3D1.tmp

Filesize
1KB

MD5
d2d28d8a5ef23e2887174b1860882bde

SHA1
314850bf458cb03eca71684284b3a4aba27563f2

SHA256
78b92932a6691370f89794d04a32c4f829d96d32e53585a4777af74a7d006050

SHA512
7797d85e26ac7d3e3747add46a77316eecdbcc71097bc369708ac50e4bb5f580614dd5dde64850bbe931cba07b3b7e02ea2d548902f8eb927d37a36369984131

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5e05ibcu.fza.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jdkmbcd\5jdkmbcd.0.cs

Filesize
468KB

MD5
9c19fd4e674c6af326807882349cb34b

SHA1
11fe47de1eefd5db10421cf1626f7e8315dc5745

SHA256
f6251bc1a0c17cf6201f0f71b72a2ab257e91716b04951b48dcc5a7231b3ba01

SHA512
d0dce83af3f1ac7543a08de9844ba6d3e66ff9cc2fe945716e76e76e520d138c504c8fcb4d559951a6d54a830ad567cce79e222a7fe5e047758a125c78532b23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jdkmbcd\5jdkmbcd.cmdline

Filesize
369B

MD5
566027533d29cd22d786818a4b8b7d8b

SHA1
530d03a3f3deb160cb79a168fee9bb3870a29c57

SHA256
27aa899f491d64f1d66bc9f75f2263b87472d9c4ef174defd9a6ceb7dca76e2c

SHA512
bf24b8a27205cbcd543391d3113aec3e06c27f91ac76a3b3ebbf77668edfc1843346fa0c344dff41ed832f2c79c2293ca0c6726ac94aa2b2a4fc636102a6154c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jdkmbcd\CSC783804826A294C92A82C28942A450F1.TMP

Filesize
652B

MD5
757f29c462f94c4d3a00aed0a5b30b2f

SHA1
ff5a55fe3a9b5927d6f9eb946ea0fe7b2c0d4937

SHA256
627c9ec2e2382df25366f33b1cbcc9a9964449b4b785f267dde535cb6136bda6

SHA512
0be27b8c1a90c866153ce7b259154fc2379a13d36f7fb23b8110753728cdf1c058949cf10ac50b67928824dc78716c42f42a1182b134e2a6b1da31acc8e9da8d

Download Submit
memory/2160-9-0x00000211ED1C0000-0x00000211ED1E2000-memory.dmp

Filesize
136KB

Download
memory/2160-10-0x00007FF965AC0000-0x00007FF966581000-memory.dmp

Filesize
10.8MB

Download
memory/2160-11-0x00000211D41B0000-0x00000211D41C0000-memory.dmp

Filesize
64KB

Download
memory/2160-12-0x00000211D41B0000-0x00000211D41C0000-memory.dmp

Filesize
64KB

Download
memory/2160-26-0x00000211ED480000-0x00000211ED498000-memory.dmp

Filesize
96KB

Download
memory/2160-27-0x00007FF965AC0000-0x00007FF966581000-memory.dmp

Filesize
10.8MB

Download