1ceac12b416b129e0120c1685a03694f612b4dc00420e14d3c7698382c175bd7

Analysis

max time kernel
135s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.ps1
Size

1KB
MD5

0511ab9a7dc919cef5127b888d0b5da0
SHA1

49e8cd3f3dbd86d1ecae1188f124112be305ac66
SHA256

1ceac12b416b129e0120c1685a03694f612b4dc00420e14d3c7698382c175bd7
SHA512

0a251c9c53ff6f2fecf758ea0752a4f687719abe14793159ead8f37241bc7c2c79775cac0dd28de413fa94d84fe1a396f657aa3f154e3b456c3b38542a67e275

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4508	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4508	powershell.exe
4508	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 1168	4508	powershell.exe	85
PID 4508 wrote to memory of 1168	4508	powershell.exe	85
PID 1168 wrote to memory of 3464	1168	csc.exe	86
PID 1168 wrote to memory of 3464	1168	csc.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\43v2g0eb\43v2g0eb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89F0.tmp" "c:\Users\Admin\AppData\Local\Temp\43v2g0eb\CSC28618A2820334ECFA6CC35B84D8C3B.TMP"
    3⤵
    PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\43v2g0eb\43v2g0eb.dll

Filesize
3KB

MD5
18a4ab6dd323d2a7d3327bfe65302052

SHA1
c5cc634295da1f30eaa54b64347f140efd170bc4

SHA256
f1f7b5e5799d8232bc9481bc3fb8f1c4b03794b34cb30576d4ed87dba9ea3453

SHA512
52e277267458c4a5e08e73d06d37b290c62b1fb18c5f1865f052f51a4eeb1b62d3f637cb569548c9e726de2f17575eefd52aa87b193869e194f5960f308a58fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES89F0.tmp

Filesize
1KB

MD5
869ebf17565d8332f22482ff40ea96fc

SHA1
05c948f96ac1b35caad421bb62d31bda4b94dfc1

SHA256
e372fec8dde985965a384ab2a5cc7b7b4b8a2d5afe9cd97f3564c5d9a0991a32

SHA512
97db030ecde329f18563c060e613f100c3172b668c086ce07357f30610b662904c37449fbf96b47e49ec6aff2d21d94ad68e23245b8bd5dfa58cc9901a31e1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcfq33wy.233.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\43v2g0eb\43v2g0eb.0.cs

Filesize
489B

MD5
ea6c51ac4ab3cca16440c5a0ccd33f16

SHA1
92f6552fe0189083cd5366a82dc50937da323129

SHA256
e1c966c2408f3da3db0f7b58e927f8300f11cf9e0498d9b5aab8a448221674db

SHA512
254b408666faf0b1837882df623a1a16765e805ffade2a33446b8f32d437be96f20af27b0c18a4d84186ecc1c4fd2fa0a533e2067c19be4da983808e5a497b61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\43v2g0eb\43v2g0eb.cmdline

Filesize
369B

MD5
6d16ea3258be8f9b016097b0ebb3ea56

SHA1
b6c7bcb1a55c7086d7ff3e19c72058d5f56ae653

SHA256
0a75b51cb27e83a32cbd59491a3ca8c8e1787788b9be2cf31d0c7d3f3ace4c92

SHA512
612fbc69ff20c1cde0c40c5c23b42c95fb17b259ca7fa275620a4127fc40b997d4a7c20eebe8e26a3e35e9130a66c4172b73042d4dcb42d39302eded8f602332

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\43v2g0eb\CSC28618A2820334ECFA6CC35B84D8C3B.TMP

Filesize
652B

MD5
243d74695300e1cf94db444e0f7410d1

SHA1
d0cc20b8603d4f3ac96c23c9a4fb205b7b88d9eb

SHA256
3c7eb9059f60eb7492bacb9ba0a55f74f7699809e11c0b1f99e7342471d957f9

SHA512
5b520f92e10b5c324961751ef927d6cf6ac1fdf14cb44733cc33ca01ec837557ce003651e4a863cce0d19c4d8270757cce6da16352b3fec14308eb096e8d2076

Download Submit
memory/4508-11-0x00007FFDB9DB0000-0x00007FFDBA871000-memory.dmp

Filesize
10.8MB

Download
memory/4508-12-0x00007FFDB9DB0000-0x00007FFDBA871000-memory.dmp

Filesize
10.8MB

Download
memory/4508-0-0x00007FFDB9DB3000-0x00007FFDB9DB5000-memory.dmp

Filesize
8KB

Download
memory/4508-25-0x000001AA7D500000-0x000001AA7D508000-memory.dmp

Filesize
32KB

Download
memory/4508-6-0x000001AA7CAF0000-0x000001AA7CB12000-memory.dmp

Filesize
136KB

Download
memory/4508-27-0x00007FFDB9DB0000-0x00007FFDBA871000-memory.dmp

Filesize
10.8MB

Download
memory/4508-28-0x00007FFDB9DB3000-0x00007FFDB9DB5000-memory.dmp

Filesize
8KB

Download
memory/4508-29-0x00007FFDB9DB0000-0x00007FFDBA871000-memory.dmp

Filesize
10.8MB

Download