12c8c3d9dc6418bc3add4c452fd56b78948ef37166cfaa6c5347e5f2e9734891

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unobswin.ps1
Size

2KB
MD5

f5890b9f06e330d27fdca75a5c463cf7
SHA1

e4e4d1aa11dea167e2a668e1d1fab3edd3237784
SHA256

12c8c3d9dc6418bc3add4c452fd56b78948ef37166cfaa6c5347e5f2e9734891
SHA512

909feb05cfccf92a24c384f0d24960ea90e9eac79a4dec671cd9099baa9697c0544b791361d28bf29d6bf226a67e974887831ec3d1cb35f79569529fccdcb58e

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4056	4972	powershell.exe	87
PID 4972 wrote to memory of 4056	4972	powershell.exe	87
PID 4056 wrote to memory of 2748	4056	csc.exe	88
PID 4056 wrote to memory of 2748	4056	csc.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\unobswin.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mzgrnsh2\mzgrnsh2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA2A.tmp" "c:\Users\Admin\AppData\Local\Temp\mzgrnsh2\CSC9E8B8E1AAFD64FDB9DA5BABCB633C9.TMP"
    3⤵
    PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAA2A.tmp

Filesize
1KB

MD5
341760d37e8037f9a1cf4a3087c24cf2

SHA1
cddad51cf2c61b4a8a8c65efbae9ac1d1a56bbcd

SHA256
367c3b12ff175464e15dd8d4e5b33bf497a1f3bc9bf4286be8906930a440bff9

SHA512
f6097c90812da8a048d8f509c19ba607cdb36b2d47856c45f8435b76d07a898f78e4ce0f02d0b7edfd295d56066b2f4a24290a79dc3fb6da295ba343cdc7d0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfuglogq.aqd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzgrnsh2\mzgrnsh2.dll

Filesize
3KB

MD5
b293cf8106f1c2592c1f053b60f06871

SHA1
96f107a112de164573d6d85e838c80a656b54edd

SHA256
9792fb45c497fbd8f2eaa0f3765c60e3461cb96904b222d09fd6cfb39f34143e

SHA512
cd0453d9d49c2371bebac26ee2c67a129d7c7ae3d40bcee7d58835fd104c3da022585a4e7ae6296d8e1cfe02f9b8c97b787854251dd951b13ecb36144e4452fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzgrnsh2\CSC9E8B8E1AAFD64FDB9DA5BABCB633C9.TMP

Filesize
652B

MD5
43ee72d94b0fb96a1a067e0d5689d142

SHA1
3fec20ef39a34f5c0a70e884b8d66126bc2bff33

SHA256
5db5655383bc5c86f0b8bc39f7daaad3bb36060d7bbc03dea50421645bf5bb6d

SHA512
df84d4ffe31ee629a047b8cb675177954364d721f32f6c1d603f418cb4a58b4bb19b3f877bccdd151ceefc3f1bfebf41caf103c97dba2819beef1671075a8ad7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzgrnsh2\mzgrnsh2.0.cs

Filesize
566B

MD5
5e0d17750a88ae9904d318b1f74958d2

SHA1
13e656826bd7798077dcfb124b0fdcbbc7c4a008

SHA256
160c9e4d4cc91e8eb915616395e206079c35766bfba43c227418252184866c5f

SHA512
db330adceb94cac65076f53cf2f03662f62b17ab167cccfac302a5a4400dfdd18ec2b395c0322c3a94eedc667ce7a78869f5a5f9f55deba9cddc8ffdbb4403ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mzgrnsh2\mzgrnsh2.cmdline

Filesize
369B

MD5
e1faa3b17caffd971ef903ec5baab66b

SHA1
e856291eb926b70598a8b165d207dc5c86f174bc

SHA256
df1927600093b8455454fe1b1ca180014d2692757c846d36b3cae89aa412b341

SHA512
6376346c61a2c9897686c5de2ab699df096963fe8219f539806884dedb44e17b29e49fa524f5b3428c80122c784ce5122761397ba11e5e81f742db33c3b333d4

Download Submit
memory/4972-13-0x000001EC687D0000-0x000001EC687E0000-memory.dmp

Filesize
64KB

Download
memory/4972-12-0x000001EC687D0000-0x000001EC687E0000-memory.dmp

Filesize
64KB

Download
memory/4972-11-0x000001EC687D0000-0x000001EC687E0000-memory.dmp

Filesize
64KB

Download
memory/4972-10-0x00007FFAC5FA0000-0x00007FFAC6A61000-memory.dmp

Filesize
10.8MB

Download
memory/4972-9-0x000001EC69290000-0x000001EC692B2000-memory.dmp

Filesize
136KB

Download
memory/4972-26-0x000001EC687B0000-0x000001EC687B8000-memory.dmp

Filesize
32KB

Download
memory/4972-28-0x000001EC687C0000-0x000001EC687C1000-memory.dmp

Filesize
4KB

Download
memory/4972-30-0x00007FFAC5FA0000-0x00007FFAC6A61000-memory.dmp

Filesize
10.8MB

Download