Overview

overview

10

Static

static

10

0a79157ced...09.ps1

windows7-x64

10

0a79157ced...09.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    139s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a79157ced6caf940a852fa5163f2e09.ps1

  • Size

    2KB

  • MD5

    0a79157ced6caf940a852fa5163f2e09

  • SHA1

    e4e2145e4dabe073e3437425c5eafc098c9cf3fd

  • SHA256

    9fcf01850aba30ee520be8691bd97d9ae58b36ba689fcaace2cc218bb15f54ed

  • SHA512

    0494f068a268671b2c71ea7d3321e1c7715b2781fcea79d9dbbdac0b2c0817c049806c270642e99a7ba666392a22e391d48281957e5f1551fe68dc175392e65e

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0a79157ced6caf940a852fa5163f2e09.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ki4azlc\2ki4azlc.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C2E.tmp" "c:\Users\Admin\AppData\Local\Temp\2ki4azlc\CSC6CD576748E29434DAA4FEBD8DA44C323.TMP"
        3⤵
          PID:2432

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2ki4azlc\2ki4azlc.dll
      Filesize

      3KB

      MD5

      dca588d246592eea515eb17790b0b3b6

      SHA1

      ba13c99936bf363b38723a406c098fec8f3460b5

      SHA256

      d89f0e88521fac502fb187eb8ced7c142937a8874380307554dad37d030b945d

      SHA512

      9568f2430743dfab3b8bc44093fb5d504d3c438658afa9a25ff549c5c387ecdd854c5f9e9c899a216fb7e8b9df7bc0b48b75b3e19126e9640d22befdf6dcaffe

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RES3C2E.tmp
      Filesize

      1KB

      MD5

      4121b153ac68ecc6cc48510323e816ef

      SHA1

      06ec5b29e02a46c1d9893fb545d1cf70b9fd56f4

      SHA256

      9624f4f267f785707dd151f80e23cdd5c1ef37eea0b153bde0336c5fc2bc0541

      SHA512

      c61168820ac8642f1eef1302c9dde7bf883db9cac2e139dc83036eaae50a0b88e2287bbf28bab63bd206565ef3c92cb5abe04ad9eac7acf004a79774587752be

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gib0qx3.mgh.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\2ki4azlc\2ki4azlc.0.cs
      Filesize

      557B

      MD5

      7319070c34daa5f6f2ece2dfc07119ee

      SHA1

      f26a4a48518a5608e93c8b77368f588b0433973c

      SHA256

      b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

      SHA512

      34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\2ki4azlc\2ki4azlc.cmdline
      Filesize

      369B

      MD5

      9a7ba869b958b2b5603a940b49a0c5f5

      SHA1

      de55c660c073f04a8f5e8fe82e9a4c1a0d9f6c39

      SHA256

      7ba01fbec21e18f24aa8d6623ab40985233bddc5fc94855f6826ff51f450818e

      SHA512

      fba081f463cd035df8635f9ad4c809e99db50e05e1bc261479373f1bf7ed5720a366741f02f2ff2052b74a09a5f204b034817434de2891d6cae975d98410baa6

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\2ki4azlc\CSC6CD576748E29434DAA4FEBD8DA44C323.TMP
      Filesize

      652B

      MD5

      6abd745675079cd87990984dfdb37424

      SHA1

      57c5dbb747c7ec4b6f5f1c205d960a888aa4aad5

      SHA256

      878d5d732615e575da82db6ca8728fc57312ff4452699a7d19c89f3791a49d7b

      SHA512

      66810e2c268166fcc792449aad7156658b050c1c87720bc5f048dab1565e1228cc24ed6ac434f0975c55987bd40debdbb1081ff1cd2ee576037b170dec49e38a

      Download Submit
    • memory/3496-11-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3496-13-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3496-12-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3496-26-0x0000019F001A0000-0x0000019F001A8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3496-0-0x00007FFA50443000-0x00007FFA50445000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3496-6-0x0000019F7E3A0000-0x0000019F7E3C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3496-28-0x0000019F186F0000-0x0000019F186F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3496-29-0x00007FFA50440000-0x00007FFA50F01000-memory.dmp
      Filesize

      10.8MB

      Download