73cfce97f633fc65b66744e894cac0dd0dd2fd02db6f15bff1a89e5076f80186

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kl/Modules/Microsoft.PowerShell.Operation.Validation/1.0.1/Test/Microsoft.PowerShell.Operation.Validation.Tests.ps1
Size

4KB
MD5

030135152a7966a4323acd4f065bb925
SHA1

a1c3eeef3992e9f5b0b0c3a1057902b98f1c141b
SHA256

1c469a57bf49a7995f211c035f244d1fa538424cf2937006b85f20d46cc4a0d8
SHA512

f92e905d95e4adac298d755bbe884cc61ab97208dcddc2a74aa18b57bcbc4aba4de1c91037ecc6ac8f2ea59993a11a82169b6928ec6b10d913d2c0d2c0153309
SSDEEP

96:7YrzsszsyzsaKzsBHmL46kygP4JLBgLOzsf9zsdhQnnJo9zsQSAzsMvxzsDc:88z5aBHg46kyE4JLB6Nf2dmnnS2QKgig

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
244	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
244	powershell.exe
244	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	244	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 4324	244	powershell.exe	85
PID 244 wrote to memory of 4324	244	powershell.exe	85
PID 4324 wrote to memory of 3332	4324	csc.exe	86
PID 4324 wrote to memory of 3332	4324	csc.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\kl\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Microsoft.PowerShell.Operation.Validation.Tests.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0nqezr43\0nqezr43.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES972F.tmp" "c:\Users\Admin\AppData\Local\Temp\0nqezr43\CSC55054FC049E845F5BD18DD43C227D4F1.TMP"
    3⤵
    PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0nqezr43\0nqezr43.dll

Filesize
3KB

MD5
f956d24425723496186c1c0c622c5de8

SHA1
fd432a9bf30d29485cbfe0bc33aaabc676d34ea7

SHA256
0ed4cef7c711d02b20e6486f42626daae83198f9890b51e7cb522c9be5bfe7ff

SHA512
5bded02a3ec5e77441c7fa4a3847b0b39c83570ca0160ad240ae26a60bdca98382cdef43ee85592ffe1198f5d5a3e0e4d17b1f89a9adbef0a454706d95010c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES972F.tmp

Filesize
1KB

MD5
f984002c6dc7ea45c0b439f3440ef688

SHA1
f5a9c9989dd4ece9dc28555cdca7db4b4216bcb5

SHA256
bdcba843929a6338cc57295bacc005ffa3d726069b1d4bff8edf18eb53b940fc

SHA512
d665aa45b712ed59e92f4c0ed4a5b603ef357a4e18ca11f2cb10507cf4305a14a78e05d93a994e3b3ba5b50c9a2781ac53903a88fac467db1208fdd71bfe69a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0krtnbx2.rau.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0nqezr43\0nqezr43.0.cs

Filesize
907B

MD5
d98b32865e5bd9376502ce614141b7fa

SHA1
673d622933fbdb9aaafaf847c3cb8f1ce4b18cbc

SHA256
6d21e15bcaebe4b6461790fbe39381ef6dc736eec19a66e80ee15caf4680fe00

SHA512
28f4ec12ba6b47af36e288a81de46ce017144416626c50c4266207f92ac5d4b532691e1ee5a3cf54abc0c567e5cd60fb3d3180e8829cdbfab98013d45377ddb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0nqezr43\0nqezr43.cmdline

Filesize
369B

MD5
0135d74205874652121b9ee761667e09

SHA1
2b1bfd1450995c1889417bb519202acc5a610606

SHA256
b20dc3c31b17960cf56958c62dd45f8f91e5663f2988b1dc38ea86d96efce18c

SHA512
2f1090dac50dd9bfeee020a1739c06223d70736e6d547eed353e1dc0ea650c8c4f205d1995ad1ad8e32552d52c09817751ebe92066655ab0839edfb260137ce6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0nqezr43\CSC55054FC049E845F5BD18DD43C227D4F1.TMP

Filesize
652B

MD5
5269024b3b8f8982bae3fd4f071eee85

SHA1
c48deba20477608b9a0e0a910d9662076a991bcd

SHA256
e3b9eacf4a9096cb000bd0feb55c16e28646e3e1b32f7b718a9881cadea9e231

SHA512
46205bc814a34b21a4b8ce1122f26eec93bb412c6e259dd19f57df8788690e90e321275412288bd97afa94bfe50fcbeafafea64cd3c0c4a2789899835decd6c6

Download Submit
memory/244-12-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download
memory/244-13-0x00000220F30B0000-0x00000220F30DA000-memory.dmp

Filesize
168KB

Download
memory/244-14-0x00000220F30B0000-0x00000220F30D4000-memory.dmp

Filesize
144KB

Download
memory/244-0-0x00007FFC10373000-0x00007FFC10375000-memory.dmp

Filesize
8KB

Download
memory/244-11-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download
memory/244-1-0x00000220DA030000-0x00000220DA052000-memory.dmp

Filesize
136KB

Download
memory/244-27-0x00000220DA170000-0x00000220DA178000-memory.dmp

Filesize
32KB

Download
memory/244-29-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download
memory/244-30-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download
memory/244-33-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download
memory/244-34-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download