Analysis

  • max time kernel
    139s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 06:36

General

  • Target

    0a79157ced6caf940a852fa5163f2e09.ps1

  • Size

    2KB

  • MD5

    0a79157ced6caf940a852fa5163f2e09

  • SHA1

    e4e2145e4dabe073e3437425c5eafc098c9cf3fd

  • SHA256

    9fcf01850aba30ee520be8691bd97d9ae58b36ba689fcaace2cc218bb15f54ed

  • SHA512

    0494f068a268671b2c71ea7d3321e1c7715b2781fcea79d9dbbdac0b2c0817c049806c270642e99a7ba666392a22e391d48281957e5f1551fe68dc175392e65e

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0a79157ced6caf940a852fa5163f2e09.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bdpcgszd\bdpcgszd.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39EC.tmp" "c:\Users\Admin\AppData\Local\Temp\bdpcgszd\CSC11138321681D4C5C9AFEBF5380F08F93.TMP"
        3⤵
          PID:2856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES39EC.tmp

      Filesize

      1KB

      MD5

      d00982e62115f14091b7a99e4625b76c

      SHA1

      5c9acda6db9ca83380f40e8de74881012a01f8b5

      SHA256

      9d7754b6a87dc1c2b4f07f559e8af169bbdfd9b27ae404c40124f223370e3303

      SHA512

      edf4cc25301258314deba65c0c27cd0802afb3df11f5cb874dc0c4f4571c1161b7240a61258d0c86ca0ad90826ccf1969d7a3ca498c3308d015c9f7a03c51716

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vz2lugws.210.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\bdpcgszd\bdpcgszd.dll

      Filesize

      3KB

      MD5

      d246550512b06c42017194aa74eb2258

      SHA1

      abfffc3d97219b4dbbcb2eb9a033a3c4abd3d34f

      SHA256

      9b7c0e0384208c08642885bf580e65ab2fc135de0c2f9b99908f6096da8945f5

      SHA512

      fd5c5b0ff7ff051f212fa228b8f7e68df975cbb95b123534f077575650a4db723e3c10edc27bec33933a8070f2127bb9403e330f29ed108a2fa9c7f07d78b5f9

    • \??\c:\Users\Admin\AppData\Local\Temp\bdpcgszd\CSC11138321681D4C5C9AFEBF5380F08F93.TMP

      Filesize

      652B

      MD5

      798d4f1728871d851646bcb49bdceb87

      SHA1

      9d821e373c3a7389150aa8d0b81bbec493476746

      SHA256

      44445fc60871a3746e9b1bea19cdd973983c850789877a971c296f601f8080e6

      SHA512

      74329ff6c6a9ad449101db75e4fca1cbe61f02742f0e20126a0aaea001714baaaddc663cc3da22f493e641dca6721f0caa2ae960c0e071054db2dc3e020b8ea0

    • \??\c:\Users\Admin\AppData\Local\Temp\bdpcgszd\bdpcgszd.0.cs

      Filesize

      557B

      MD5

      7319070c34daa5f6f2ece2dfc07119ee

      SHA1

      f26a4a48518a5608e93c8b77368f588b0433973c

      SHA256

      b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

      SHA512

      34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

    • \??\c:\Users\Admin\AppData\Local\Temp\bdpcgszd\bdpcgszd.cmdline

      Filesize

      369B

      MD5

      bbcd0e7cc6a3558b6cd2e998df584489

      SHA1

      66cefe2ac5853c0bf2c7f8982feef5b0d6055863

      SHA256

      6207d7a55468deb124d5f78fc33b92f39c0e631ddd963a19f11c6d2130563e11

      SHA512

      de7cd4cff8f6a27e81ec0f3b635e5bd6b685ee5559332aeefb4b041bbcb7b9096b7ed1df1220df5f3d0b216275e07732e75545c03d19e0035621db81dc9870b9

    • memory/860-0-0x00007FF844743000-0x00007FF844745000-memory.dmp

      Filesize

      8KB

    • memory/860-13-0x00007FF844740000-0x00007FF845201000-memory.dmp

      Filesize

      10.8MB

    • memory/860-12-0x00007FF844740000-0x00007FF845201000-memory.dmp

      Filesize

      10.8MB

    • memory/860-11-0x00007FF844740000-0x00007FF845201000-memory.dmp

      Filesize

      10.8MB

    • memory/860-26-0x000001C1FB7D0000-0x000001C1FB7D8000-memory.dmp

      Filesize

      32KB

    • memory/860-1-0x000001C1FC260000-0x000001C1FC282000-memory.dmp

      Filesize

      136KB

    • memory/860-28-0x000001C1FB860000-0x000001C1FB861000-memory.dmp

      Filesize

      4KB

    • memory/860-29-0x00007FF844740000-0x00007FF845201000-memory.dmp

      Filesize

      10.8MB