23139b2d6e97241d698f684ecf7f8a077aa1206d0d75d1ee6769aac61ebdf4b8

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add_acl.ps1
Size

337B
MD5

d90fed2f2872cb0aa450b0a91c5c67e9
SHA1

8af3d7b66b26489fee514b8a6cb3d9b327ce685f
SHA256

23139b2d6e97241d698f684ecf7f8a077aa1206d0d75d1ee6769aac61ebdf4b8
SHA512

ec2819e9e7dfc6da002006661ef794b2a89a2785928336d025c18970929b7e956d56843fa736ab13f9554740b572a4aa2fbe68fabaf3ec472bb7dac3ca02fb65

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	1060	powershell.exe
13	1060	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1060	powershell.exe
1060	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 4016	1060	powershell.exe	89
PID 1060 wrote to memory of 4016	1060	powershell.exe	89
PID 4016 wrote to memory of 3348	4016	csc.exe	91
PID 4016 wrote to memory of 3348	4016	csc.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\add_acl.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\evbgcdfy\evbgcdfy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87CD.tmp" "c:\Users\Admin\AppData\Local\Temp\evbgcdfy\CSCDFDC09EC2D14EAA9E534BB6E030D356.TMP"
    3⤵
    PID:3348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES87CD.tmp

Filesize
1KB

MD5
518d5cdb2d8d520cbcca86f6012d0271

SHA1
2343e1288e8947dc36d9f27f37f1707aa230a33c

SHA256
958da712cf271c96a240fb283f1010a7a75ccddae4008050fcd94c068c6fc8c6

SHA512
46fbbd6193d0f91f9b5cae9162fd5b383f80c3fda26eea6c2c0eaa8abd11c74824ec884f8d4ea75f59786e076af85bec4943d44d0f0a831428f9e5e9e7b12db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c4qqalkt.hzx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbgcdfy\evbgcdfy.dll

Filesize
8KB

MD5
0dc9ebd592ea7e8702ec40d637730ec5

SHA1
8be6fee59fc863fa58c0f60ce2ddffa06d3b984c

SHA256
accf59659e335caccae26d7266fabf80b3fd0d8f5f8fe1611fefacb23ca7ed9b

SHA512
2e63595cf5e239b6f2225a1c8ac18f17bf50840dd5ace857c77cde8913ead7e7214d61993400ab743a21e587e392d72e8371588528bbf172bf09f9e716b9a9b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evbgcdfy\CSCDFDC09EC2D14EAA9E534BB6E030D356.TMP

Filesize
652B

MD5
d837c4e43b042492c71b7fb224283c80

SHA1
79c2fcec0cbf6f0fdf37e30035d381f735383891

SHA256
d68bedfcdc8ab957f27e87c8585f80eadf00ecd21a8044cbca9b10781423ba4b

SHA512
bd6f2ea18de1bf069dd65c050dabbf52d561117cdbf642bf18e92fc24f842010e2f3b11fa7b29110c22d447de9c5e53bfe4da32db634f04f5a67d87aff2f54c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evbgcdfy\evbgcdfy.0.cs

Filesize
11KB

MD5
9ade8655c48efd8bdbb0749d1e530133

SHA1
2a8b2353c3c21c8af64a115bce8caec0bd9cd010

SHA256
b780c209ecafd59f57fb9cc6dd3ccf53d6fa1b299a7d0edba91ee6e9acf9df87

SHA512
46a04af8a3e97c7319ea6eec49ff4939e366ca823dd75bf1715efa1f1341d96207ebc60867c836981f8998a4ed7e1b4cf8c032b8e7491cfa4995306ac3d9271f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\evbgcdfy\evbgcdfy.cmdline

Filesize
369B

MD5
136b45bf43220e4be89138ca5e5d02c3

SHA1
5d62716ad12c35fca8d42e114ae15007446b1614

SHA256
c9376a2dd6c266fcca7eed2ffe82df45b71dcd8ad5293ef7756d2229ad5b908a

SHA512
ea3cda852620ae98785fdabde301d392aeba5781f57c5b737df71bc99e02bd6f563f21397a8cafe674d00d99fe5459d416e927c057e68cc75ab66c338d686793

Download Submit
memory/1060-9-0x0000010EE6AE0000-0x0000010EE6B02000-memory.dmp

Filesize
136KB

Download
memory/1060-10-0x00007FFDC2150000-0x00007FFDC2C11000-memory.dmp

Filesize
10.8MB

Download
memory/1060-11-0x0000010EE6B30000-0x0000010EE6B40000-memory.dmp

Filesize
64KB

Download
memory/1060-12-0x0000010EE6B30000-0x0000010EE6B40000-memory.dmp

Filesize
64KB

Download
memory/1060-25-0x0000010ECE680000-0x0000010ECE688000-memory.dmp

Filesize
32KB

Download
memory/1060-27-0x00007FFDC2150000-0x00007FFDC2C11000-memory.dmp

Filesize
10.8MB

Download