79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924cb7acbb3b4f53

Analysis

max time kernel
92s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924cb7acbb3b4f53.ps1
Size

5KB
MD5

ba83831700a73661f99d38d7505b5646
SHA1

209ffbc8ba1e93167bca9b67e0ad3561c065595d
SHA256

79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924cb7acbb3b4f53
SHA512

408642bf6df33ab7f3b77524e9a9042a9d5c6c7586e41edb68f3bd185cead83661dd5873c272ecc3801ccf7549c2e003c02ecfac19a375ad4e7f2035f57aa6ed
SSDEEP

96:DKoOEcy54jHdcGqzQtxmR2P72gFulz/sDQJvsE016lGQnT7rjHQduiSWUo:su4jHdcrzQtxmeqCKz/nvV2EnT7rM+g

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
748	powershell.exe
748	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 228	748	powershell.exe	87
PID 748 wrote to memory of 228	748	powershell.exe	87
PID 228 wrote to memory of 3272	228	csc.exe	90
PID 228 wrote to memory of 3272	228	csc.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924cb7acbb3b4f53.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yjauwoq0\yjauwoq0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43EE.tmp" "c:\Users\Admin\AppData\Local\Temp\yjauwoq0\CSC7D683ABBCC404A1782D14884772B6269.TMP"
    3⤵
    PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES43EE.tmp

Filesize
1KB

MD5
e843cdb017189d8641b0b0aa37026ca1

SHA1
74c1b6629c9b0dd47107638d60b083e991193c1d

SHA256
6d06a55525314077bdf542e2a4d4d3a5d964a3d43624b82a0ed0a1c83b3b0428

SHA512
66975ade2dbb2a3b9a27b5ba837a6eb6c36c9f78f135541e21b689eb98d03d1655ce7cc98f9e25bb283cf6d04b4399da50f78d5f3a40e7e4284e5c6e59f7fe22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqmspjxj.2ld.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjauwoq0\yjauwoq0.dll

Filesize
3KB

MD5
ecb27aeabd057b3ca67972c13693c214

SHA1
ef6e172619670ab3be44ecc88b50e1d8bf926a03

SHA256
615c8db5d348a107ea4b865db0da91dce4f34a7efb49bacf52829ca795ef3e63

SHA512
0d613860964c14b2582a667fd197b3ff5908b28fc9c4068345f8227810f7a80539164bde5180ad613b280e9943eda612fa0a59c38025cfabdb0852bc6ad16b0e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yjauwoq0\CSC7D683ABBCC404A1782D14884772B6269.TMP

Filesize
652B

MD5
797ebf7e81417aebb9c0a908de8e5574

SHA1
b78b2722a35a54364dbd45612922b372147a2e5c

SHA256
e5564c60ff11312e0d897f97be95e3c790dc2a4f8cfc6081ad28ef4d94d278cc

SHA512
22fba7eadca063fa37d4043e6ad71eb5a917c5e34b6f9c62fa76dfae8168691674543bed77642388294b7744e8d972f601b68a206216cbd1580ae200372727b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yjauwoq0\yjauwoq0.0.cs

Filesize
726B

MD5
dc5f0d05fbd2c9662cf7b22ac013f2a0

SHA1
433033f181fc23fa1d305997bec35c0312c7a1d1

SHA256
57a734205517041ac36ae99eb1bacc5d714b25fe0e111eefc22e8530172a4338

SHA512
50fe3167403f75670f851913fe84cfd29a670acfaaa787157ebffc89529d4013573d8536cfbf4504e28b90021cf5684641803f82e27000f266206e0e77a57142

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yjauwoq0\yjauwoq0.cmdline

Filesize
369B

MD5
7579ecfeba220a0b9b3dd0b43a57fec0

SHA1
3b61c6616f7e1d34eacfbfc3c57f3973c9a05d9c

SHA256
f4481a896d1d75dbdc02d3b36786c148dceac22a599c0373af424ce2d8aaa734

SHA512
9bedd3d9440730af856f22ee4354c4ab9dcf266ae9ceeec1d0ef2e0fd8371e7118ac117a4851a8d7fade096e4349112d0fe562ef78b7d514d91b7193bc1974de

Download Submit
memory/748-11-0x000001772B200000-0x000001772B210000-memory.dmp

Filesize
64KB

Download
memory/748-12-0x000001772B200000-0x000001772B210000-memory.dmp

Filesize
64KB

Download
memory/748-10-0x00007FFED2870000-0x00007FFED3331000-memory.dmp

Filesize
10.8MB

Download
memory/748-25-0x0000017745BD0000-0x0000017745BD8000-memory.dmp

Filesize
32KB

Download
memory/748-9-0x000001772B210000-0x000001772B232000-memory.dmp

Filesize
136KB

Download
memory/748-27-0x000001772B200000-0x000001772B210000-memory.dmp

Filesize
64KB

Download
memory/748-28-0x0000017745BF0000-0x0000017745BF1000-memory.dmp

Filesize
4KB

Download
memory/748-30-0x00007FFED2870000-0x00007FFED3331000-memory.dmp

Filesize
10.8MB

Download