187bf95439da038c1bc291619507ff5e426d250709fa5e3eda7fda99e1c9854c

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 07:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

187bf95439da038c1bc291619507ff5e426d250709fa5e3eda7fda99e1c9854c.ps1
Size

983KB
MD5

b0c9db20b468e0fd5e0a7dc4e8c3f47e
SHA1

196bbf284bd504b323dab65d67141e0289c9650e
SHA256

187bf95439da038c1bc291619507ff5e426d250709fa5e3eda7fda99e1c9854c
SHA512

e6554bccfb384da004b4eeed1f966ddcfae23b48d8755b660379679140653a6777130a87a362e0f2fdbd6e689dfa57a2a0a72b13e4a94d01275929cc6cb4f0ea
SSDEEP

24576:juh7HhsAwaHo44qGPIHWxni6wfqy3BTdQIVR:+HJQpiDfq0Z7

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4588	powershell.exe
4588	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 464	4588	powershell.exe	88
PID 4588 wrote to memory of 464	4588	powershell.exe	88
PID 464 wrote to memory of 4980	464	csc.exe	91
PID 464 wrote to memory of 4980	464	csc.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\187bf95439da038c1bc291619507ff5e426d250709fa5e3eda7fda99e1c9854c.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hnodruse\hnodruse.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36DF.tmp" "c:\Users\Admin\AppData\Local\Temp\hnodruse\CSC9DAA36A49F754E2F9EBEA84A6CD102A.TMP"
    3⤵
    PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES36DF.tmp

Filesize
1KB

MD5
7f4ec52ee1a751795f03a307816d740d

SHA1
31f1b388ba72b4a78ed70247039b121d362f29c3

SHA256
561612ba936daff961044cdefa1359f7f454497ee0576e16b2749e1870258b98

SHA512
f6e10c755eda1fac48d701550e80545e3399c304730e41aa84bf58600f0217d704ae65cae15150151d5920235f40762a77fa5548e1ce171ea289c6ff3d068a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tqcgakec.wxt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hnodruse\hnodruse.dll

Filesize
3KB

MD5
066f0eb88f4bf147c3efe8ba444396f5

SHA1
a8c47811fc89821684df9459b80b7a3884dc0efa

SHA256
77e68bd111109e6a1f52bd29f535c21bfef075b5afadde0c8a192644c74129fe

SHA512
bef15b0235b52ecda5ebed102a50c81fc0bea7fa4fb47293aa9b8247947560beef8fc47bdb998ddc39dc20a8051cd3dc918d1b03a17b86bf43e617855a7dd347

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hnodruse\CSC9DAA36A49F754E2F9EBEA84A6CD102A.TMP

Filesize
652B

MD5
fba6abc74ce02856ea470c6f3433bede

SHA1
dd7ae5f5d7d123f3b70c0f675eca995f8c28f17c

SHA256
10b74487bebdb2c504281ccd07033a9999f2b4d763a14c1786f338b423013505

SHA512
b633f1db559517e9f8439a19b96aaa4b3d0cf253d463035781cba97dcf95e8001445499efcdcc8dac43f0937b65a609479e0ccf6b0242b2b92027c6e6bb103c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hnodruse\hnodruse.0.cs

Filesize
977B

MD5
4d4e062dbabff2ac65812c279e6dc303

SHA1
9cbca666d69e5203fd56802995d3cb00ed083ff7

SHA256
070c1afb7f94b40e618b2b989b126a8f2f775a439b283ccdf1aff7879895869d

SHA512
b6442831b01e1257ee38f079b0530b71d0aa9a9e8110864e1af2b1a5485f92cb99d137328418e9b97a16c88345c43ab7bb3c5548c5bb805f02c31957fa54483d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hnodruse\hnodruse.cmdline

Filesize
369B

MD5
49ba460f8ac24609eabcab293ac48955

SHA1
f5bbc3dc68cacf8a363a346afd791c1b7bc325f6

SHA256
a92c78115bbe546d33e1f3d03ab2f49f52462603c83a5c71779126022283795a

SHA512
7c0f4e7330d660c39033a5dd12e5127fdeb889c74328a64c8ddf3db5c3de93c6857f9a1351f8df54e062b75cac60373934dc294912a20de10fd7ef0055449104

Download Submit
memory/4588-11-0x000001C3CFC10000-0x000001C3CFC20000-memory.dmp

Filesize
64KB

Download
memory/4588-12-0x000001C3CFC10000-0x000001C3CFC20000-memory.dmp

Filesize
64KB

Download
memory/4588-0-0x000001C3D1E70000-0x000001C3D1E92000-memory.dmp

Filesize
136KB

Download
memory/4588-25-0x000001C3CFBF0000-0x000001C3CFBF8000-memory.dmp

Filesize
32KB

Download
memory/4588-10-0x00007FFCCF600000-0x00007FFCD00C1000-memory.dmp

Filesize
10.8MB

Download
memory/4588-27-0x000001C3CFC10000-0x000001C3CFC20000-memory.dmp

Filesize
64KB

Download
memory/4588-30-0x00007FFCCF600000-0x00007FFCD00C1000-memory.dmp

Filesize
10.8MB

Download