Analysis
-
max time kernel
139s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 06:36
Behavioral task
behavioral1
Sample
0a79157ced6caf940a852fa5163f2e09.ps1
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0a79157ced6caf940a852fa5163f2e09.ps1
Resource
win10v2004-20240426-en
General
-
Target
0a79157ced6caf940a852fa5163f2e09.ps1
-
Size
2KB
-
MD5
0a79157ced6caf940a852fa5163f2e09
-
SHA1
e4e2145e4dabe073e3437425c5eafc098c9cf3fd
-
SHA256
9fcf01850aba30ee520be8691bd97d9ae58b36ba689fcaace2cc218bb15f54ed
-
SHA512
0494f068a268671b2c71ea7d3321e1c7715b2781fcea79d9dbbdac0b2c0817c049806c270642e99a7ba666392a22e391d48281957e5f1551fe68dc175392e65e
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 860 powershell.exe 860 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 860 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 860 wrote to memory of 3868 860 powershell.exe csc.exe PID 860 wrote to memory of 3868 860 powershell.exe csc.exe PID 3868 wrote to memory of 2856 3868 csc.exe cvtres.exe PID 3868 wrote to memory of 2856 3868 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0a79157ced6caf940a852fa5163f2e09.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bdpcgszd\bdpcgszd.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39EC.tmp" "c:\Users\Admin\AppData\Local\Temp\bdpcgszd\CSC11138321681D4C5C9AFEBF5380F08F93.TMP"3⤵PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d00982e62115f14091b7a99e4625b76c
SHA15c9acda6db9ca83380f40e8de74881012a01f8b5
SHA2569d7754b6a87dc1c2b4f07f559e8af169bbdfd9b27ae404c40124f223370e3303
SHA512edf4cc25301258314deba65c0c27cd0802afb3df11f5cb874dc0c4f4571c1161b7240a61258d0c86ca0ad90826ccf1969d7a3ca498c3308d015c9f7a03c51716
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5d246550512b06c42017194aa74eb2258
SHA1abfffc3d97219b4dbbcb2eb9a033a3c4abd3d34f
SHA2569b7c0e0384208c08642885bf580e65ab2fc135de0c2f9b99908f6096da8945f5
SHA512fd5c5b0ff7ff051f212fa228b8f7e68df975cbb95b123534f077575650a4db723e3c10edc27bec33933a8070f2127bb9403e330f29ed108a2fa9c7f07d78b5f9
-
Filesize
652B
MD5798d4f1728871d851646bcb49bdceb87
SHA19d821e373c3a7389150aa8d0b81bbec493476746
SHA25644445fc60871a3746e9b1bea19cdd973983c850789877a971c296f601f8080e6
SHA51274329ff6c6a9ad449101db75e4fca1cbe61f02742f0e20126a0aaea001714baaaddc663cc3da22f493e641dca6721f0caa2ae960c0e071054db2dc3e020b8ea0
-
Filesize
557B
MD57319070c34daa5f6f2ece2dfc07119ee
SHA1f26a4a48518a5608e93c8b77368f588b0433973c
SHA256b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc
SHA51234169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd
-
Filesize
369B
MD5bbcd0e7cc6a3558b6cd2e998df584489
SHA166cefe2ac5853c0bf2c7f8982feef5b0d6055863
SHA2566207d7a55468deb124d5f78fc33b92f39c0e631ddd963a19f11c6d2130563e11
SHA512de7cd4cff8f6a27e81ec0f3b635e5bd6b685ee5559332aeefb4b041bbcb7b9096b7ed1df1220df5f3d0b216275e07732e75545c03d19e0035621db81dc9870b9