7179b0046a1fdea8844e75514319e3e0e3c3b7b1c0b2b78534cbf883d87df4c4

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 19:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

974B
MD5

c48dca2b2ccabcaada95742c37615c11
SHA1

9288cb2c257faaa088093d6ca7f1b7e15c1daf70
SHA256

7179b0046a1fdea8844e75514319e3e0e3c3b7b1c0b2b78534cbf883d87df4c4
SHA512

985d319386a02206669e2c40abf3059966d06b93fd8bd97c3b351289a33d63ef9debb2d5c76bb26a5db882439b347e61055ed5a564ffcee17f577e60a39ed621

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1948	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	powershell.exe
1948	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 3424	1948	powershell.exe	83
PID 1948 wrote to memory of 3424	1948	powershell.exe	83
PID 3424 wrote to memory of 4320	3424	csc.exe	84
PID 3424 wrote to memory of 4320	3424	csc.exe	84

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qj3xpoc1\qj3xpoc1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D0F.tmp" "c:\Users\Admin\AppData\Local\Temp\qj3xpoc1\CSC383BEB699B0E472EB88B3AA4448452BC.TMP"
    3⤵
    PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7D0F.tmp

Filesize
1KB

MD5
ba965b77a04b4ac183a3ddf588c3c70c

SHA1
2cfc838378338730540806c26740569407c2c31a

SHA256
1ade6bff6a2c681f70748e0561380fcf73b530b8a0891f47512ed9e9512d42d1

SHA512
377ee042a561bfa3a28c2cfd6a62d2282d147367060c8fecf0f682c6cb2997e10e18a5fe13038d0ce702265ea225d0839e26d3f2f9ed6306c37a1808c802cc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_htw3bveh.fk4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qj3xpoc1\qj3xpoc1.dll

Filesize
3KB

MD5
8e8adca7004f11d1787c9b1e7e10c0c6

SHA1
10b7afe8a964ceedbd7be6bd1e5df528e3c38283

SHA256
6fe2880636ef4a0f71e014c0ad12f67fff9a6849c75483c287dca2aad2f56d89

SHA512
fd4196830debc4d83706ed04d695d864a1fc99dc207518a55c450f5e19e0e515d12e9fa1a4922c9372b9765e70fc06459d7de83e06b628a96cdfd6b4b80a73ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qj3xpoc1\CSC383BEB699B0E472EB88B3AA4448452BC.TMP

Filesize
652B

MD5
b411a34d477c1656f7ce7b800833f1be

SHA1
85c7eb599dc51322a6294b7851b1300dfd6c2fb7

SHA256
801500e025219ede661aba3cf8c9e77aee3e1746b60758bd876f7b652475c2d2

SHA512
9f323e94cf32f2e71c60cda6772a187aca52c919de3987ba91e7ea11ca7aab0ae563427d7b4ace3a4a925488419f0a328d92eda9b5f063df1da70320f2209bba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qj3xpoc1\qj3xpoc1.0.cs

Filesize
169B

MD5
2f010725190c2a4aed6464a6b07caa28

SHA1
8cdb73dbbfbf61bd612ec83d190a47340591ffe0

SHA256
b366f7a0857ef5ea51c30d49e93c0a75fc0138d57adc1663ac9ef06f0220af26

SHA512
4015fa2e09b48c107de80a91ff1812761994b5505d9c5f17efb4c12f5799f15b350a513d5427ba1dbe9de6105721a301b8c87d52f3d9eafad90dd0d1768fdedd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qj3xpoc1\qj3xpoc1.cmdline

Filesize
369B

MD5
8889ec2e1fc86e5f8783728fd4132ce8

SHA1
b13df452e5311d2748574b919c2e0633cc7dc3e3

SHA256
4c9509cd90821ec1bd7bed4d1309aae1605f914e8735824741b0ca9120d9a7b5

SHA512
da97e53da895021cebe905917aa663a9095c95443d2f7f4036b08329f8cc835713a9315c8dc520f7f76e7ad48a779b7e6ce58d5bd73846c9f125024475e44e27

Download Submit
memory/1948-0-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp

Filesize
8KB

Download
memory/1948-12-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/1948-11-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/1948-6-0x0000028D21690000-0x0000028D216B2000-memory.dmp

Filesize
136KB

Download
memory/1948-25-0x0000028D21890000-0x0000028D21898000-memory.dmp

Filesize
32KB

Download
memory/1948-27-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/1948-30-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download