73cfce97f633fc65b66744e894cac0dd0dd2fd02db6f15bff1a89e5076f80186

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kl/Modules/Microsoft.PowerShell.Operation.Validation/1.0.1/Test/Modules/Example3.Diagnostics/2.0.1/D.ps1
Size

241B
MD5

af30dcc5efd4c2cfd486789fc8d103d2
SHA1

b2c04a08e7050c36ab3962fc6fadb0bae501a484
SHA256

85ec948f272eec9bbd24030105548d87b3f697002416ac4692e389d315cdd534
SHA512

a1003e5f707892f6f24f6b6bdd9d5f5ef2e340866a8d1d8faea4b5b2d32ae19305a3a29ec5c4fa7dd996b9feaf72887a595d7c37be17782a5bf062688aaf6aff

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1248	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1248	powershell.exe
1248	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2552	1248	powershell.exe	83
PID 1248 wrote to memory of 2552	1248	powershell.exe	83
PID 2552 wrote to memory of 1452	2552	csc.exe	84
PID 2552 wrote to memory of 1452	2552	csc.exe	84

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\kl\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\D.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2t0ktzcz\2t0ktzcz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8D3.tmp" "c:\Users\Admin\AppData\Local\Temp\2t0ktzcz\CSCCA4E65B1231244E6BFBC1F34A66EF643.TMP"
    3⤵
    PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2t0ktzcz\2t0ktzcz.dll

Filesize
3KB

MD5
ba12d1ad88e79b322829b5d199c729c3

SHA1
fa93ac0e51ae97dd1b007a48d416b9ecebb188a7

SHA256
da4bdf452a5488e6704d5e435a58895bcfe1d177619e465050db92c81c5a28e8

SHA512
fecab1970efe8bf563cceebfbfb428570c6f8c58d802180b5bd6f95d21ef2943697628f8449ea965e07f7bc4d3cd8cd64dd0d4f704d8e82ffc77300d25f4735b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8D3.tmp

Filesize
1KB

MD5
77cc2070ba9a2fa8629e381d6482a948

SHA1
6af57fc8eb07e972c25e1617b5acb05ce460da90

SHA256
0e9d49bae80a4141fb3a29637e64f746ef5872b5e3e182fd26aa79dcbd8f4cf4

SHA512
85b5f00c2b775dfaf1fa2c458ac90a3f6733c6266e4c057fa527f78106acf96022531e7edc91bbdd88784579c3faae1db607c6bad069d07df98e57a25dea37bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_spfvz4tt.2li.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2t0ktzcz\2t0ktzcz.0.cs

Filesize
907B

MD5
d98b32865e5bd9376502ce614141b7fa

SHA1
673d622933fbdb9aaafaf847c3cb8f1ce4b18cbc

SHA256
6d21e15bcaebe4b6461790fbe39381ef6dc736eec19a66e80ee15caf4680fe00

SHA512
28f4ec12ba6b47af36e288a81de46ce017144416626c50c4266207f92ac5d4b532691e1ee5a3cf54abc0c567e5cd60fb3d3180e8829cdbfab98013d45377ddb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2t0ktzcz\2t0ktzcz.cmdline

Filesize
369B

MD5
3f85d34703e119503a66fcf0d287d3fd

SHA1
d841b9b5168c9e0bf3e9cefe0a5dd83d4b63928d

SHA256
9158b3e1c4bd0d9df45c0638db4dc1ff552742114e66fc4ae5a1aa3a220201ab

SHA512
216b7f9a866c465df72e3075162b542f84890fa9abd4172ad9e2fb210ba980c883be0b59537e8adf1eb2900e679f9fde42c80f90a5a713b4cbc194ac9680ae9c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2t0ktzcz\CSCCA4E65B1231244E6BFBC1F34A66EF643.TMP

Filesize
652B

MD5
151ae556ff91122590275726ec14f291

SHA1
e3c9ab411ff7feef64a3657c2f76e2c9814b718d

SHA256
83ca494c5d14cf7a7ed2dc89e3157639cd2415fcc29d186be30ae023d2f5431a

SHA512
cc35116248165914c768dec52ad8b801d8f85505d9cde6acb3a06fed2f09a99e30b21690de425b791fb8ed6c294f87d15e15da9103b47f85687f6d728bb6168c

Download Submit
memory/1248-13-0x0000026EFE7C0000-0x0000026EFE7EA000-memory.dmp

Filesize
168KB

Download
memory/1248-14-0x0000026EFE7C0000-0x0000026EFE7E4000-memory.dmp

Filesize
144KB

Download
memory/1248-12-0x00007FF810C10000-0x00007FF8116D1000-memory.dmp

Filesize
10.8MB

Download
memory/1248-27-0x0000026EFD9C0000-0x0000026EFD9C8000-memory.dmp

Filesize
32KB

Download
memory/1248-4-0x0000026EFE310000-0x0000026EFE332000-memory.dmp

Filesize
136KB

Download
memory/1248-11-0x00007FF810C10000-0x00007FF8116D1000-memory.dmp

Filesize
10.8MB

Download
memory/1248-0-0x00007FF810C13000-0x00007FF810C15000-memory.dmp

Filesize
8KB

Download
memory/1248-29-0x00007FF810C10000-0x00007FF8116D1000-memory.dmp

Filesize
10.8MB

Download
memory/1248-30-0x00007FF810C10000-0x00007FF8116D1000-memory.dmp

Filesize
10.8MB

Download
memory/1248-33-0x00007FF810C10000-0x00007FF8116D1000-memory.dmp

Filesize
10.8MB

Download