Resubmissions

16/04/2024, 19:44 UTC

240416-yfyf3aag99 7

16/04/2024, 19:29 UTC

240416-x7jljscb21 7

Analysis

  • max time kernel
    140s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 19:29 UTC

General

  • Target

    locales/uk.ps1

  • Size

    688KB

  • MD5

    ee70e9f3557b9c8c67bfb8dfcb51384d

  • SHA1

    fc4dfc35cde1a00f97eefe5e0a2b9b9c0149751e

  • SHA256

    54324671a161f6d67c790bfd29349db2e2d21f5012dc97e891f8f5268bdf7e22

  • SHA512

    f4e1da71cb0485851e8ebcd5d5cf971961737ad238353453db938b4a82a68a6bbaf3de7553f0ff1f915a0e6640a3e54f5368d9154b0a4ad38e439f5808c05b9f

  • SSDEEP

    12288:wrccq9nty/KiDswU1nbx05kB3IjUUmEg5KuoLNiXElqnOyh:HGX35EEK

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\locales\uk.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1176
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x47c 0x2ec
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4916

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    29.90.28.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.90.28.184.in-addr.arpa
    IN PTR
    Response
    29.90.28.184.in-addr.arpa
    IN PTR
    a184-28-90-29deploystaticakamaitechnologiescom
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.63.96.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.63.96.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    32.251.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    32.251.17.2.in-addr.arpa
    IN PTR
    Response
    32.251.17.2.in-addr.arpa
    IN PTR
    a2-17-251-32deploystaticakamaitechnologiescom
  • flag-us
    DNS
    216.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    216.197.17.2.in-addr.arpa
    IN PTR
    Response
    216.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-216deploystaticakamaitechnologiescom
  • flag-us
    DNS
    31.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    249.197.17.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    249.197.17.2.in-addr.arpa
    IN PTR
    Response
    249.197.17.2.in-addr.arpa
    IN PTR
    a2-17-197-249deploystaticakamaitechnologiescom
  • flag-us
    DNS
    105.193.132.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.193.132.51.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.237:443
    g.bing.com
    tls
    2.0kB
    9.2kB
    21
    18
  • 52.111.229.43:443
    322 B
    7
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    151 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    29.90.28.184.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    29.90.28.184.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
    143 B
    1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    25.63.96.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    25.63.96.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    32.251.17.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    32.251.17.2.in-addr.arpa

  • 8.8.8.8:53
    216.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    216.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    31.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    31.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    249.197.17.2.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    249.197.17.2.in-addr.arpa

  • 8.8.8.8:53
    105.193.132.51.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    105.193.132.51.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwsw35so.vug.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1176-9-0x000001D430760000-0x000001D430782000-memory.dmp

    Filesize

    136KB

  • memory/1176-10-0x00007FFB92730000-0x00007FFB931F1000-memory.dmp

    Filesize

    10.8MB

  • memory/1176-12-0x000001D42E540000-0x000001D42E550000-memory.dmp

    Filesize

    64KB

  • memory/1176-11-0x000001D42E540000-0x000001D42E550000-memory.dmp

    Filesize

    64KB

  • memory/1176-15-0x00007FFB92730000-0x00007FFB931F1000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.