12c8c3d9dc6418bc3add4c452fd56b78948ef37166cfaa6c5347e5f2e9734891

General

Target

unobswin.ps1
Size

2KB
MD5

f5890b9f06e330d27fdca75a5c463cf7
SHA1

e4e4d1aa11dea167e2a668e1d1fab3edd3237784
SHA256

12c8c3d9dc6418bc3add4c452fd56b78948ef37166cfaa6c5347e5f2e9734891
SHA512

909feb05cfccf92a24c384f0d24960ea90e9eac79a4dec671cd9099baa9697c0544b791361d28bf29d6bf226a67e974887831ec3d1cb35f79569529fccdcb58e

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2940	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	dw20.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2396	2940	powershell.exe	29
PID 2940 wrote to memory of 2396	2940	powershell.exe	29
PID 2940 wrote to memory of 2396	2940	powershell.exe	29
PID 2396 wrote to memory of 3048	2396	csc.exe	30
PID 2396 wrote to memory of 3048	2396	csc.exe	30
PID 2396 wrote to memory of 3048	2396	csc.exe	30
PID 2940 wrote to memory of 2696	2940	powershell.exe	31
PID 2940 wrote to memory of 2696	2940	powershell.exe	31
PID 2940 wrote to memory of 2696	2940	powershell.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\unobswin.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\htcnyydn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A89.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A88.tmp"
    3⤵
    PID:3048
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 864
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4A89.tmp

Filesize
1KB

MD5
70ed0b6cc7992118f278705b6d2decb8

SHA1
0134a5440de35676ae29b46db73411a464085e52

SHA256
686bae4b2e271b08ed6542c05eb6371df74857b9867f467da2d7c5e557db2058

SHA512
e47a21e65f2c75a1a7032691b6871e1f401b5cd076158822184085a7f097c48322a3c7f557a5d25ba6ed14f95a4a2356339889f529a109ab39071af64a117d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\htcnyydn.dll

Filesize
3KB

MD5
e99111bca05331b79040a4df76c4228e

SHA1
d30d791a538a9768128b75e05ec9bcbbb6868d13

SHA256
58f0d3859c7e41e723a4c91aaf5deb58c7df55a06432d0581a3ebfb7e8544fdc

SHA512
6703b614e4bb462d232146a7bff0c8e895ceeb6f49d9a51675081c5c34b45d050cba7c7e5ab68a50de330bf60b2c35712573a29f9bc957961ca3751302d641a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\htcnyydn.pdb

Filesize
7KB

MD5
1366c9df05b712ce21998088919fb26c

SHA1
9c5d4d51ba39151749a0eba98ec97b60dabcbe96

SHA256
7aa6897db24f5c84916119dd3fe8b45c9e435fa2e1a16a0454c1c5d6dc6be378

SHA512
f4b63e1a623147e647f283d19086dd01b4a8f026a8b06ee9cf42385c28ef02461c6ce391d08fddfa0af1d114bde7d1ed81532d760e6e9c8124313aa9ebff9156

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4A88.tmp

Filesize
652B

MD5
10db5822d7eae5b8a031c439d1171b48

SHA1
cad591ad3382e01c6a705d284e2544faf78d043c

SHA256
7ddc0b21de280518023f972462115b9e531b712fd809e1d292647d09f1a4c51c

SHA512
fcb59f8f74b438bbd0f5767631cde0c6423c5fd12e54a18b979158ad8281ad46e4765682e5921dce39294e806092e75a6133aca58afb825c3612e0aab9083542

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htcnyydn.0.cs

Filesize
566B

MD5
5e0d17750a88ae9904d318b1f74958d2

SHA1
13e656826bd7798077dcfb124b0fdcbbc7c4a008

SHA256
160c9e4d4cc91e8eb915616395e206079c35766bfba43c227418252184866c5f

SHA512
db330adceb94cac65076f53cf2f03662f62b17ab167cccfac302a5a4400dfdd18ec2b395c0322c3a94eedc667ce7a78869f5a5f9f55deba9cddc8ffdbb4403ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\htcnyydn.cmdline

Filesize
309B

MD5
ef751e982d8225f88cb71004984ef633

SHA1
c139d44b365976d9f75194cae1e886fbb3128a54

SHA256
28bc810c94840496b18ac3ea12bd3522fa5c9a5c5d9ffe48a7a9e1c5201478bd

SHA512
042802f19165015d3e99277789b1a86560cec48199f4890d28fff37d1ee2bb86fd2ec88dcb39fe61cb23e98d19c2ba5f9e0c88e6db6a9fa11732c3a3661a9d45

Download Submit
memory/2696-31-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2940-9-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-4-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2940-10-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2940-5-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-7-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2940-8-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/2940-25-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/2940-11-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2940-28-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2940-6-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2940-30-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2940-29-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-32-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2940-33-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-34-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2940-35-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing