101b3147d404150b3c0c882ab869a18eb6eeb79e8b7b2df81fb4be1a8b58f1bf

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

101b3147d404150b3c0c882ab869a18eb6eeb79e8b7b2df81fb4be1a8b58f1bf.ps1
Size

159KB
MD5

bda33efc53c202c99c1e5afb3a13b30c
SHA1

e6ea0765b9a8cd255d587b92b2a80f96fab95f15
SHA256

101b3147d404150b3c0c882ab869a18eb6eeb79e8b7b2df81fb4be1a8b58f1bf
SHA512

c80d0034be873c3c9ad248cd582815239531676240e5a070fe038e8494f1791b109571ae7354279fc04ed92edb8017fb147930b1b24c04e7db3c5f587d671a1e
SSDEEP

1536:yDn6h10QqnTO/ADNM9T0AnCf9p6d9rmvvg8E5veESasEvVGZ6:Jg7sCf56p

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2312	powershell.exe
2312	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2388	2312	powershell.exe	86
PID 2312 wrote to memory of 2388	2312	powershell.exe	86
PID 2388 wrote to memory of 3828	2388	csc.exe	87
PID 2388 wrote to memory of 3828	2388	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\101b3147d404150b3c0c882ab869a18eb6eeb79e8b7b2df81fb4be1a8b58f1bf.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s2ngn1lc\s2ngn1lc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4537.tmp" "c:\Users\Admin\AppData\Local\Temp\s2ngn1lc\CSC8675147DABB845759E10576F1A5F43.TMP"
    3⤵
    PID:3828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4537.tmp

Filesize
1KB

MD5
4d58eeccf28e37f4601c2445d3ec69c8

SHA1
7b6dda2c1c61d3e7fb887e3561b998ce7680142a

SHA256
ca0328a3470c0b450240dfd7b5649e1d6cb2b22f1864f4c5b7deca28fbc0abca

SHA512
4d6898b8be9e6215ca2edbbe547965fe38414daab7db6b495890a27a0a7d7fe550984f8ced6a8b8861215ba1d23eadc444169b96b5420292bb8bd9cb4ff05bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwry0jr4.jvk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2ngn1lc\s2ngn1lc.dll

Filesize
3KB

MD5
2716e5b2f77170a71adb6b705dad8c38

SHA1
030372b491fe3b89ee153ec71868e199acaa6f09

SHA256
3a0bc235093d085b5633b68f8b4a478162d32ca664b7bbf001a7d4c41ea49472

SHA512
544690cbc9dfb5c25c6fcc57a7d3c0c1ca54ea28d570cb8b6ea41cb9899076e35b890b603bc1a256fe7a1fa74ad9543198860d79b3a22d0532b4bc885930cdb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2ngn1lc\CSC8675147DABB845759E10576F1A5F43.TMP

Filesize
652B

MD5
8cf119a729b9ba3631ede244dabb99fa

SHA1
7826a58fd569eff9d85a6fc8fe7d4962b4e02b13

SHA256
4413301d90895c6c5851bf0ddb8a08b45a671b179aad0b0ad4751b8f69ba2b90

SHA512
2fa97ddb3016d2abb7b497738345580672e5f476891b86c72ef1aef76f903048d8b7e54b1d3c2df21afe483225ac4c738b4b227e78d957b7e746fad43134e78d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2ngn1lc\s2ngn1lc.0.cs

Filesize
726B

MD5
f88e191d093ad6cc1be860705b7ab7fc

SHA1
716bd342acd0498efd6af6b4af4bb6795a20779f

SHA256
d469e49a74451dce953bf530a1abbe08e3463357237256b4a5e3cfe4dd1c56e6

SHA512
a01be1e2ab19f4b74788a0ba71312813edb8ad7b855f1d82092c022238bc66b6be8f84e94abc868ae3e3fbdc76a140e67b490a42ab56f04bc5e21b3e2d917757

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s2ngn1lc\s2ngn1lc.cmdline

Filesize
369B

MD5
bf6ddf256585d60b443405a5195b7185

SHA1
d35e2ff55921f037e730fae68dd8a77bcbf0458b

SHA256
af00a13f85c2ce2b02fba7c00d5fb1269fcf8118ba957d0d2f2655219491a291

SHA512
5e220dcdb8c6b775c79f20201401a89b16f677cae093776400decb0192f6a163f13296b27181376e149d9320001a6179b61f4b220f3ace827c82407f0fa8937f

Download Submit
memory/2312-12-0x000001D249570000-0x000001D249580000-memory.dmp

Filesize
64KB

Download
memory/2312-11-0x000001D249570000-0x000001D249580000-memory.dmp

Filesize
64KB

Download
memory/2312-10-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2312-25-0x000001D2310B0000-0x000001D2310B8000-memory.dmp

Filesize
32KB

Download
memory/2312-9-0x000001D249540000-0x000001D249562000-memory.dmp

Filesize
136KB

Download
memory/2312-27-0x000001D249570000-0x000001D249580000-memory.dmp

Filesize
64KB

Download
memory/2312-28-0x000001D24B7A0000-0x000001D24B7A1000-memory.dmp

Filesize
4KB

Download
memory/2312-30-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmp

Filesize
10.8MB

Download