0396c4bf011de51ae29aaae4ab7e6aa3b5da41d52509a3a7b3f119c264f2130a

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2.ps1
Size

853B
MD5

01959b049c8493e73756633a95f5fe0a
SHA1

a1f6d8aadbb08c31f0694c22dc2b9b723e58d41c
SHA256

0396c4bf011de51ae29aaae4ab7e6aa3b5da41d52509a3a7b3f119c264f2130a
SHA512

057513ff2545546cc91f300c7fa2d11dfb4aa59aaea52e446c6adcd5c6eb878c2a3dbe52cc239b050829b3ff2ed32cb5c16da7be94028619627bda178d35e57e

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3756	powershell.exe
3756	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 2676	3756	powershell.exe	83
PID 3756 wrote to memory of 2676	3756	powershell.exe	83
PID 2676 wrote to memory of 1968	2676	csc.exe	85
PID 2676 wrote to memory of 1968	2676	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ut3zezuu\ut3zezuu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA921.tmp" "c:\Users\Admin\AppData\Local\Temp\ut3zezuu\CSCC4DACC17421D446182AFBB6F7DA99443.TMP"
    3⤵
    PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA921.tmp

Filesize
1KB

MD5
6b01ff516ea63a346c3e2237fc33b293

SHA1
30dabdd4e4914d905dafaa5fd0e39b006dacefec

SHA256
74d3a47b3fce0ecadd3a1b2c216c2d935863cd01cf5b3be00b292f31d6239861

SHA512
2b7b8b4ad9aac36e4c2a3234e3ae59bfa91ac15b8c57812dc424310ccedacf13372e8a21de2330f2c87459a53e00bbced3ff875ab0702165b9d7a6bbf2ba3bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bk5p1frg.srm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ut3zezuu\ut3zezuu.dll

Filesize
3KB

MD5
470f22fdba1352472034fc67348bc1a1

SHA1
6ef68512f68f6f0e77309f9a27097b021efc97ed

SHA256
77479619528df319ed19a872128daebe60e02f3b342337c40f36e53d5c3e75df

SHA512
9d804e0e1884ac8b745cb6968c6e34c464ecc7cac8ce146f33509bbbbb746ca78239541bbf5bfc80c71509754cea697d1fc99f4ab839daa9e1e8db106cdb9c84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ut3zezuu\CSCC4DACC17421D446182AFBB6F7DA99443.TMP

Filesize
652B

MD5
f7dfab62a933926792c182cc9ffa49ec

SHA1
0062177aa3d5aabff7a5e041c37738ec8962411d

SHA256
e0e4fc6c6c0b78e9a2ee7b17d72ce6b2f44352bcf4afbf1081eb23f3cfcd92ab

SHA512
8e2fa2c4073506e1af594d6644a0c683585b91eef34ee64cf465c9ba3344f6513efecc08774b47448a311fc6746dd37032f3934fa45efd8af4664b07dc47ea9e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ut3zezuu\ut3zezuu.0.cs

Filesize
414B

MD5
d7cc05262a98a6d0b6e6799eee34d3bd

SHA1
a38ff4c743804a992246c3223d69355ac17fe75b

SHA256
c3acab3b75b5cb83ab6a307e1523979b17a3eab8f30cd42c8f8f5bfe8be6c0da

SHA512
0c0e3184bb3fbab1a9af3ba36aabf7617e7e8c4a914ac064fa7fbb2fa548e4fd3bf9557520ae697678d84ae3c7105e666cf5fbc96f302d232f1d358012a1dcd8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ut3zezuu\ut3zezuu.cmdline

Filesize
369B

MD5
e04d84484298013397c21739df155c9f

SHA1
75a14519d26779a6ed20d3d0a98eeb2fa4b40423

SHA256
d2220ca1042223e9f99b26e8d5c2b2bdbdc93052484bc6dd2490052c0a527b21

SHA512
d77a3fa0058d436ff0413ca052ddeb024810eaf864e9e387968878dcd4a21d838932d709457f30854f9c022f1fe4572a1ebf88157279e07cd5ef989a755b6fad

Download Submit
memory/3756-13-0x000001E700090000-0x000001E7000A0000-memory.dmp

Filesize
64KB

Download
memory/3756-11-0x000001E700090000-0x000001E7000A0000-memory.dmp

Filesize
64KB

Download
memory/3756-12-0x000001E700090000-0x000001E7000A0000-memory.dmp

Filesize
64KB

Download
memory/3756-10-0x00007FFC7A810000-0x00007FFC7B2D1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-26-0x000001E700C60000-0x000001E700C68000-memory.dmp

Filesize
32KB

Download
memory/3756-9-0x000001E7662E0000-0x000001E766302000-memory.dmp

Filesize
136KB

Download
memory/3756-30-0x00007FFC7A810000-0x00007FFC7B2D1000-memory.dmp

Filesize
10.8MB

Download