193414cd47eda9186cdbf0841f0e366080e045d5685c89416bd79b1c210801ab

Analysis

max time kernel
91s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.ps1
Size

138B
MD5

11ee956e17c595b93533e0bdda3f131c
SHA1

93383d8654b6d47bcb913842b31162666b901d82
SHA256

193414cd47eda9186cdbf0841f0e366080e045d5685c89416bd79b1c210801ab
SHA512

455c67201147941a41259622aa476d9b751fe4607c007a9b03a729d50bd40f571c129ebfc7a99255bc280c940441420866bf5c39aaf4059c50a02729f6dcc73e

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3812	powershell.exe
3812	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3212	3812	powershell.exe	83
PID 3812 wrote to memory of 3212	3812	powershell.exe	83
PID 3212 wrote to memory of 452	3212	csc.exe	84
PID 3212 wrote to memory of 452	3212	csc.exe	84

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxvqgfcz\dxvqgfcz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EB1.tmp" "c:\Users\Admin\AppData\Local\Temp\dxvqgfcz\CSC1983787B39FE44C6B0D912FDE9A088A2.TMP"
    3⤵
    PID:452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9EB1.tmp

Filesize
1KB

MD5
c22748e23b9deba73325cbf174949d6e

SHA1
38ce04d8b68444a8fe85fcdbef037184e5d3c9e8

SHA256
eedaea344b62f332b61983503ca805812773ffd1be26d1b7b9ffaa3764358ee5

SHA512
8b3d282e122e3082fd6eaf3951374eafd2c9f49565b4ea1553bc2d14995d797793549a4c548a6412e614aaf2095f60c9d7ce8014cc4bff8aadc19843827a5fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imk3n4fv.1ts.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxvqgfcz\dxvqgfcz.dll

Filesize
3KB

MD5
c7c9e7479222eedb65796342993f1079

SHA1
190ed79ccc4826d6fa75c539266baac2be8f2698

SHA256
74ee4a132b61bdf5b0c5a7187d35aba22810ee9e398f38882f386e943b455893

SHA512
3e1a6f3426d90f0bb1252ff1b8b8692c14d89f375c6d0d697d13c336b80f1cfe51f15345d134064f70db7f8985e161a290e683b943e0ca25d873ff1d35c3c3fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxvqgfcz\CSC1983787B39FE44C6B0D912FDE9A088A2.TMP

Filesize
652B

MD5
9f427c5b31bce9dcbf9fd664ca5696eb

SHA1
5491579415311b3ffad32be61f81a587e8e5a933

SHA256
20c0633636d34a54f932c412f4dc878f964acb9b2b6fdfea3a7cd6832390d3bc

SHA512
99eb7933971353ef821a50a78fc068b219da7f4124eec0d99e7f21da40b18790408bca21672a68092d38477bbd1a6089ee94e4048b85bf5de0715eb82b1c16dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxvqgfcz\dxvqgfcz.0.cs

Filesize
907B

MD5
d98b32865e5bd9376502ce614141b7fa

SHA1
673d622933fbdb9aaafaf847c3cb8f1ce4b18cbc

SHA256
6d21e15bcaebe4b6461790fbe39381ef6dc736eec19a66e80ee15caf4680fe00

SHA512
28f4ec12ba6b47af36e288a81de46ce017144416626c50c4266207f92ac5d4b532691e1ee5a3cf54abc0c567e5cd60fb3d3180e8829cdbfab98013d45377ddb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dxvqgfcz\dxvqgfcz.cmdline

Filesize
369B

MD5
fe8fdf99247d636b4b78346b8ea2f1e0

SHA1
397564348cad81991a45a208abcd88eb71578ff3

SHA256
2dd61cbe611dc68bf22abe3701183b89c3c8c98d2878776d58519bffdd27e20c

SHA512
f5f6531006f3b646227b5e9369b7118460e7477650c22cd13a47a33448bdfb518a60bc55c9d3da9028f7c5d98b9991d31f15bcd02cbbead185e1ea15f96d5409

Download Submit
memory/3812-12-0x0000017575B40000-0x0000017575B50000-memory.dmp

Filesize
64KB

Download
memory/3812-15-0x0000017576650000-0x0000017576674000-memory.dmp

Filesize
144KB

Download
memory/3812-14-0x0000017576650000-0x000001757667A000-memory.dmp

Filesize
168KB

Download
memory/3812-13-0x0000017575B40000-0x0000017575B50000-memory.dmp

Filesize
64KB

Download
memory/3812-0-0x0000017575AD0000-0x0000017575AF2000-memory.dmp

Filesize
136KB

Download
memory/3812-10-0x00007FF81F860000-0x00007FF820321000-memory.dmp

Filesize
10.8MB

Download
memory/3812-28-0x0000017575AC0000-0x0000017575AC8000-memory.dmp

Filesize
32KB

Download
memory/3812-11-0x0000017575B40000-0x0000017575B50000-memory.dmp

Filesize
64KB

Download
memory/3812-30-0x0000017575B40000-0x0000017575B50000-memory.dmp

Filesize
64KB

Download
memory/3812-33-0x00007FF81F860000-0x00007FF820321000-memory.dmp

Filesize
10.8MB

Download