f7abcbdb4896f995674c927c3e3b46fbf40125c26cc8ebb09d88ee0d71d4a25f

Analysis

max time kernel
163s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508167b2c34732f05f11f2531b2498a2.exe
Size

5.9MB
MD5

508167b2c34732f05f11f2531b2498a2
SHA1

88f5a4f580243a098662a8c1dd3ea86a60407c81
SHA256

f7abcbdb4896f995674c927c3e3b46fbf40125c26cc8ebb09d88ee0d71d4a25f
SHA512

3b6dd1409a15da49609ce4779c66a08768fa635cb7a8ce3fd6e9a0f56f5055de9c7b09eb9dfad3f542ff6478fd661c8c46e42e1580d4e5311dd465d79fea8c5c
SSDEEP

49152:P8L4dlrb/TkvO90dL3BmAFd4A64nsfJ9uB5q9FbvbhZdGDSj0uBTfA6VzHv3+6kP:P80Du3mAQQQQQQQQQQQQQ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4572	powershell.exe
4572	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4664	powershell.exe
4664	powershell.exe
4664	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	508167b2c34732f05f11f2531b2498a2.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4572	4580	508167b2c34732f05f11f2531b2498a2.exe	96
PID 4580 wrote to memory of 4572	4580	508167b2c34732f05f11f2531b2498a2.exe	96
PID 4572 wrote to memory of 4584	4572	powershell.exe	98
PID 4572 wrote to memory of 4584	4572	powershell.exe	98
PID 4584 wrote to memory of 4976	4584	csc.exe	99
PID 4584 wrote to memory of 4976	4584	csc.exe	99
PID 4572 wrote to memory of 4296	4572	powershell.exe	107
PID 4572 wrote to memory of 4296	4572	powershell.exe	107
PID 4572 wrote to memory of 4664	4572	powershell.exe	114
PID 4572 wrote to memory of 4664	4572	powershell.exe	114
PID 4572 wrote to memory of 3904	4572	powershell.exe	116
PID 4572 wrote to memory of 3904	4572	powershell.exe	116

C:\Users\Admin\AppData\Local\Temp\508167b2c34732f05f11f2531b2498a2.exe
"C:\Users\Admin\AppData\Local\Temp\508167b2c34732f05f11f2531b2498a2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5nrx1pny\5nrx1pny.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38F8.tmp" "c:\Users\Admin\AppData\Local\Temp\5nrx1pny\CSC5777F788818D47C889D81BB63BD850A6.TMP"
      4⤵
      PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
C:\Users\Admin\AppData\Local\Temp\5nrx1pny\5nrx1pny.dll

Filesize
3KB

MD5
dba6bffff1675cb45e1c0cf62040a13e

SHA1
cdd316ab1c5c7847a54ca36a4b7290e7cd827674

SHA256
e1edaa95c2d03728feec8b32cac8f9106d22294d8229a4a972946117b60257d2

SHA512
f5b59b19974b355e55b8b154e34b8fc5443ec5f1d57ffa949bae23487666b63de2a840660745b2efd0477e87f9ba2ff3e34cd79f559a390039493cc87d2d0f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38F8.tmp

Filesize
1KB

MD5
63e8ad880bd2ae7da9b9f3b2e8560ac3

SHA1
6100dcabe5366c351e07a9317ae3c626f6efda9f

SHA256
4b8286004839448648cfb856af72be38361e5243147d7c1a26cb1b255b9090e0

SHA512
4ce6069770d75f51d277042d37214fcdabffd7274ddc16fb7ff1e6ea37ba76232dc7313dec5d64117af3a2ba8b19ab652f64c2dc3620b934c25a8645b1cde007

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydvhuwkz.ewe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ready.ps1

Filesize
1KB

MD5
3447df88de7128bdc34942334b2fab98

SHA1
519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb

SHA256
9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9

SHA512
2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1

Filesize
2.5MB

MD5
c16f184d9d62eddb657c4a000477bed7

SHA1
5cae0c725cec08ec9bc5a2b246f55401329641f6

SHA256
eb5ed128539eeb68644aa0546eb88a8ee6c35e9bb0627dff4d59f6ac9b114528

SHA512
c8e8c2151a2fef875ce447dd857fdafcfd172d2f1ad5fe6d72caeed173efc1a64c296b50b98c61dec8b61f5ae05ca1b9e742fa19b851deee476537d55b089628

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5nrx1pny\5nrx1pny.0.cs

Filesize
424B

MD5
4864fc038c0b4d61f508d402317c6e9a

SHA1
72171db3eea76ecff3f7f173b0de0d277b0fede7

SHA256
0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84

SHA512
9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5nrx1pny\5nrx1pny.cmdline

Filesize
369B

MD5
435e632bdb3306350f165e9e892094d9

SHA1
dbe69e22664588b9581f49095d9bfa382fbda919

SHA256
4569852b6a40b20fc581b7ae050d97eec2337c3267d7145a0c382ff01ae9946b

SHA512
543ed65a16f5eb0796807c2b72c34a4b5239c3d9f55064c69623b9d5d7f93497828c6029f23529716bea6f544b8a83dd743b78532edf855968498c0dcc39dd32

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5nrx1pny\CSC5777F788818D47C889D81BB63BD850A6.TMP

Filesize
652B

MD5
f247e782d05c13587caf039a329d028b

SHA1
4425d29011a47325ae4a4b2d252766baa8fad953

SHA256
faa2db348cf2de0c55ca98af5a2b9233122e547c07aff724dd9a8fb24452b1f5

SHA512
d658e782a913408869f469ab5c90e4f819d5ee9cc113eb7ed3898bf4ed3d382b78e7524de0698ba29e961141198f68f86fcfafda8f64778d5c416a98fc984afe

Download Submit
memory/3904-78-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-79-0x000001D9E4110000-0x000001D9E4120000-memory.dmp

Filesize
64KB

Download
memory/3904-80-0x000001D9E4110000-0x000001D9E4120000-memory.dmp

Filesize
64KB

Download
memory/3904-90-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/4296-49-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/4296-50-0x00000234E09B0000-0x00000234E09C0000-memory.dmp

Filesize
64KB

Download
memory/4296-60-0x00000234E09B0000-0x00000234E09C0000-memory.dmp

Filesize
64KB

Download
memory/4296-63-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-13-0x000001F5983F0000-0x000001F598400000-memory.dmp

Filesize
64KB

Download
memory/4572-25-0x000001F5983F0000-0x000001F598400000-memory.dmp

Filesize
64KB

Download
memory/4572-24-0x000001F5B1250000-0x000001F5B1272000-memory.dmp

Filesize
136KB

Download
memory/4572-14-0x000001F5983F0000-0x000001F598400000-memory.dmp

Filesize
64KB

Download
memory/4572-91-0x00007FFA81690000-0x00007FFA816A9000-memory.dmp

Filesize
100KB

Download
memory/4572-40-0x000001F598430000-0x000001F598438000-memory.dmp

Filesize
32KB

Download
memory/4572-12-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-43-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-44-0x000001F5983F0000-0x000001F598400000-memory.dmp

Filesize
64KB

Download
memory/4572-45-0x000001F5983F0000-0x000001F598400000-memory.dmp

Filesize
64KB

Download
memory/4572-46-0x000001F5983F0000-0x000001F598400000-memory.dmp

Filesize
64KB

Download
memory/4572-47-0x000001F5B18D0000-0x000001F5B1A46000-memory.dmp

Filesize
1.5MB

Download
memory/4572-48-0x000001F5B1C60000-0x000001F5B1E6A000-memory.dmp

Filesize
2.0MB

Download
memory/4580-9-0x000001A46C1E0000-0x000001A46C1F0000-memory.dmp

Filesize
64KB

Download
memory/4580-5-0x000001A46C1E0000-0x000001A46C1F0000-memory.dmp

Filesize
64KB

Download
memory/4580-7-0x000001A46C1E0000-0x000001A46C1F0000-memory.dmp

Filesize
64KB

Download
memory/4580-6-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/4580-4-0x000001A46C1E0000-0x000001A46C1F0000-memory.dmp

Filesize
64KB

Download
memory/4580-0-0x000001A46CE30000-0x000001A46D256000-memory.dmp

Filesize
4.1MB

Download
memory/4580-1-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/4580-2-0x000001A46C1E0000-0x000001A46C1F0000-memory.dmp

Filesize
64KB

Download
memory/4580-3-0x000001A46C1E0000-0x000001A46C1F0000-memory.dmp

Filesize
64KB

Download
memory/4580-8-0x000001A46C1E0000-0x000001A46C1F0000-memory.dmp

Filesize
64KB

Download
memory/4664-77-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download
memory/4664-76-0x000001B2323E0000-0x000001B2323F0000-memory.dmp

Filesize
64KB

Download
memory/4664-66-0x000001B2323E0000-0x000001B2323F0000-memory.dmp

Filesize
64KB

Download
memory/4664-65-0x000001B2323E0000-0x000001B2323F0000-memory.dmp

Filesize
64KB

Download
memory/4664-64-0x00007FFA71B10000-0x00007FFA725D1000-memory.dmp

Filesize
10.8MB

Download