66032c4b3b0d37d76bb06b0d34bb3c75f106df2d30e5085b3bd36f8ac985a0a1

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kematian-Stealer-main/frontend-src/webcam.ps1
Size

6KB
MD5

75846ce1e77e07545629a87ac9bc4a2b
SHA1

d27af6c792327bf5832148c6797cd88dac333baa
SHA256

b94954783a3a0c42d37cd001fce737c66790f69d3566ab7aa3fcbca8e1bb5536
SHA512

6e559aba3fab78186b75ba9b393b919caf2890e2184343473eca8fdb59d6f143c978ad892ca99e85a3bb8de9d04366752a3f137aea13502b76951560d80e6846
SSDEEP

96:iPL4W84Ji4AnzvN0OpVDUNKMiNjHJ4OY492VXyNbEqbIQH9idwO3Kglh:isqHeVRV4oMiNjHJu/VCNIgH9MwO3Kyh

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2056	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2056	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2612	2056	powershell.exe	29
PID 2056 wrote to memory of 2612	2056	powershell.exe	29
PID 2056 wrote to memory of 2612	2056	powershell.exe	29
PID 2612 wrote to memory of 2688	2612	csc.exe	30
PID 2612 wrote to memory of 2688	2612	csc.exe	30
PID 2612 wrote to memory of 2688	2612	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Kematian-Stealer-main\frontend-src\webcam.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xo_yqmbw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES250F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC250E.tmp"
    3⤵
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES250F.tmp

Filesize
1KB

MD5
cc8b20aba233536ea4ae1558105b0ca5

SHA1
ae3e7360d590610a974ee5c2c03caf88c505b137

SHA256
5ab6ccda0b3e00b322a70a326e7f1d3ddaa4afec23de42d5012c33d079fc1bed

SHA512
cd3282ad36741517b4f1feb0e2d5b88b83902cef2340a09834c3b8a83fbbbdf18a66cae762c6b1a3429d1d9e9b2a90a5d181a6c16e8136ec3a8656bc48897301

Download Submit
C:\Users\Admin\AppData\Local\Temp\xo_yqmbw.dll

Filesize
6KB

MD5
92534f020b8c8953d0cf1365df75e6be

SHA1
bc68621eae220637fe2272d2173fccf32c7f41fa

SHA256
8063bea5674afe0943761b209dc437059b29f905cf814303df48aae6e7637404

SHA512
406d146a67caa2deb0f1300f4beeb1ffb3625028505f34fd9b105d48c665cde02fb5018cc4c37c7659e77bb751c59671058f909b15a05f23e0c3e80aaff6783c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xo_yqmbw.pdb

Filesize
15KB

MD5
9ad71a5a0f6704db55c10eb4a8b45396

SHA1
bf8923a409ad8aa8213f8523054663e93f45b985

SHA256
4254b6facb5f529a8cea21ed40d0a01ab827ba5edca8319e39371eed5eb0c42c

SHA512
273b85406858e5ab1b92f0907eeb35859878186c34bc78c616e96db33b7308ff0aec8386d1572ab93b88780e25fec66518117726984274a3a09c653652228213

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC250E.tmp

Filesize
652B

MD5
f92a6e34596564173c7d994f7f9f7cee

SHA1
8235032231307da5c157e38fcec571056317bd01

SHA256
83b95280b235ef0cd9d4bc89ec789b4834dbb9ee6b80d63df9b1a10960fdf356

SHA512
34470234b3c0171bf176523a6b25df55967f5615d3527c318775960ae7561211ef8b0ec6b00b2c0a357b803de6d1882790d9e8b95f1a7a06edc446730a61dbb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xo_yqmbw.0.cs

Filesize
4KB

MD5
2a829317f65fea84eb85cb2376fa9e21

SHA1
2f223ea8738f9989385e93b9c8cf0e8fc5e30700

SHA256
f99c46f447010a438586651fcdf9068394926247bf7656980fee066b2069fe8f

SHA512
a438c35327297431df19fe50683619f78ea0245bb8d3aa7553c376c365b927747d8cb8343fc2cfb4de884dad4eb6166589afc98eba385137bb3405998838ace0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xo_yqmbw.cmdline

Filesize
595B

MD5
93f1802e74bc5671c0a8dc451424bde6

SHA1
3cc33d41a57b1253827ae9ef4bfbf25048cafb88

SHA256
ca01bb47fc4b9d4f452f68d1ae63b166a591258de06f109049d7041570b9267a

SHA512
5a010acc854460762a688828bd22b1b5cbd9bfd41c4806e7975d38341feb69817b626da606579be5656521169de266afc0f490638d7e3a219767a8399680dc33

Download Submit
memory/2056-8-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2056-4-0x000007FEF5D1E000-0x000007FEF5D1F000-memory.dmp

Filesize
4KB

Download
memory/2056-11-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-10-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2056-27-0x0000000002AC0000-0x0000000002AC8000-memory.dmp

Filesize
32KB

Download
memory/2056-9-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-7-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-30-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2612-17-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download
memory/2612-25-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

Filesize
9.6MB

Download