e9a7f5b9f11829593799ab82f588a9f5978abe8768a0a043fd2fab9827392af5

General

Target

ottonova-a2.ps1
Size

6.2MB
MD5

b0dfc711f647d182589170003bf567c1
SHA1

e873babaf2aa851455b6068e4065e7a972a4d98d
SHA256

e9a7f5b9f11829593799ab82f588a9f5978abe8768a0a043fd2fab9827392af5
SHA512

da4f0923c3ec3854e113c30a782ea814dc01cb38199a7f168bb360346c9c6db14b5c86444f3d4a1e37b052b814a8dbe30d23f64b7faedd473ff1fcda0086aa1a
SSDEEP

12288:1UAun+lPRzcnYfucVx7Bcun6GxyHgz/zkeK3GyijZSv9aRnE0Hca7/n1alpfwWSe:6

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
664	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 2296	664	powershell.exe	29
PID 664 wrote to memory of 2296	664	powershell.exe	29
PID 664 wrote to memory of 2296	664	powershell.exe	29
PID 2296 wrote to memory of 2672	2296	csc.exe	30
PID 2296 wrote to memory of 2672	2296	csc.exe	30
PID 2296 wrote to memory of 2672	2296	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ottonova-a2.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t2jl5gne.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F31.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F30.tmp"
    3⤵
    PID:2672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5F31.tmp

Filesize
1KB

MD5
17901517b07b358237ad772ba6d5be1c

SHA1
a6c964a74777bb6f604dcc8e43bf1cd6feb5e6dc

SHA256
1720f43760541396eebb6733ab04ae9ec971d36200ad22dde0bcab58f496c518

SHA512
2ce2b2623e779b613485d15dfd7baed4131ab6215d0f630d57e9127e54e4bc003eabbc6206fd97f5a2651fc52ddc66f910c2f07fb59ee7b822fd4b60feb510e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\t2jl5gne.dll

Filesize
3KB

MD5
64ca34a09370a41109962f42eea2f690

SHA1
93de12f766d4d68a81f290cf97e1bc1b8046ddb8

SHA256
e0d1cd0d365e74b7d5b8d5f395257e4138232b9f5f5a67ffa8a9f03be181c331

SHA512
255b5125d90d17457a46faef6447ab5f0144915fcaa7b4006c13cbb1a4289f5c324c265b98c1e9f4189c3408ff74470c358c7aaa6607f2eadb99fac84aa4bce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\t2jl5gne.pdb

Filesize
7KB

MD5
c050dc07df9106e1e949c36332f18a3d

SHA1
86988903939a54f17899cf920d3d965d9b14dbca

SHA256
36c748439931b3e0842f2959dd0f0e3612f7da8e2bd665acf923365376e12d83

SHA512
baa97652a02f8392ef7f699824a062e860cbb1c90ec27198ceeab0547c3dcd13b267c4a0fd1051b6915e0c53e12ba6448b89000bc07b98b25ee7cdbd9922b7ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5F30.tmp

Filesize
652B

MD5
4ce31f8376beaee6af698f7b593dc29b

SHA1
3e0face30dd3f3ab041441dc884f7b31d3273aab

SHA256
2a6c5c41264c80320bc8e8070810f5e1c09e9adddae254ddeaa0b30e74be0bdb

SHA512
fc49c30657a9be667c5a008483d5684f89d12d9cc51547a8cea52ff8b2ac006fc6069a87215cc2dba62901ecd0e22f4839aad0351d92478783f71bb58e50aa91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t2jl5gne.0.cs

Filesize
566B

MD5
b9168fca418c126fe8be31b5bb1a36ab

SHA1
7ed2e985c537b89cf6b1306b55aab15dad7eeecc

SHA256
8b67648c3eb5a093477bd0d0a568585c1c50843d9987c07cc8d7dcb09c44ddd4

SHA512
80025ca786f0ce8885c4836926291546cd35a2208d57f03e252ba4c2d1d72672e978c0a073fe70435cf167dc04d7c5126dbd7d6b091987a416a38487b06cde17

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t2jl5gne.cmdline

Filesize
309B

MD5
ed55590308b9d3cfa9338cbbaf281ca9

SHA1
6ca9a2ba980f503d1f8cced0d0753c77be42bb4e

SHA256
df05f1438ba5b70cacf61ace793b1b0da827483073429f380ee213ce2e06d2c4

SHA512
836474bf92dacb5a73f37292c9c57c769978348b4c92e7d4d7a74646e330324c954fcd284b94f712c676d5991f6f7293b3bb41b332c8b9e6fbf6128749ba5903

Download Submit
memory/664-9-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/664-32-0x000000001AC00000-0x000000001AD40000-memory.dmp

Filesize
1.2MB

Download
memory/664-11-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/664-4-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/664-17-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/664-36-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/664-8-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/664-7-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/664-6-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/664-5-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/664-27-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/664-30-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/664-31-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/664-10-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/664-34-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/664-33-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-18-0x0000000002200000-0x0000000002280000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads