3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Night_uac/amsi.ps1
Size

1KB
MD5

ab586dd0a3d8dc473e8a12a5a4c6a484
SHA1

247455520a6b3706355e6afc4815fc0fbec331c4
SHA256

e4519785cbdda3fe7f85b3e0ef1bfd0bb857966dcc9fd7e62bd028b04a35cda3
SHA512

898dfc95b3016a8c8ec164ddff5b5b58aa3470802f5cc9265837dc1d4356de251fa256ff6dd130e39399ab24ebe903172dee214fc9b3e36be04d0ef654b9fb20

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1984 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1984 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1984 powershell.exe

pid	process
1984	powershell.exe

pid	process
1984	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1984	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1984 wrote to memory of 2504	1984	powershell.exe	csc.exe
PID 1984 wrote to memory of 2504	1984	powershell.exe	csc.exe
PID 1984 wrote to memory of 2504	1984	powershell.exe	csc.exe
PID 2504 wrote to memory of 2684	2504	csc.exe	cvtres.exe
PID 2504 wrote to memory of 2684	2504	csc.exe	cvtres.exe
PID 2504 wrote to memory of 2684	2504	csc.exe	cvtres.exe
PID 1984 wrote to memory of 2772	1984	powershell.exe	wermgr.exe
PID 1984 wrote to memory of 2772	1984	powershell.exe	wermgr.exe
PID 1984 wrote to memory of 2772	1984	powershell.exe	wermgr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Night_uac\amsi.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-al4cmcs.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE38D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE37C.tmp"
3⤵
PID:2684

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1984" "1160"
2⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-al4cmcs.dll

Filesize
3KB

MD5
8956ec20445bde8bfdafb7960dde7fa9

SHA1
4f7eadfcd99c3a1176d8977d5a326549d410ab36

SHA256
3457c9b9a152458c8f14c2967d44cac2ecac86a8bca5379250c4e2c50b5a6fd8

SHA512
6866998331dad16c30e91dd7694a6d30227b0a1714659581ce257c2e66f32d955ab73dd47718d3bc5b685566e943b988e53ab8b3eb9338ec23d133ae377a98f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\-al4cmcs.pdb

Filesize
7KB

MD5
d03ca50f8459574529127aa7f56d1eaf

SHA1
ea4d4c4962887aa40c382a07841d43472b91aad2

SHA256
d0fcaf2d80110198c97c33bd6dde65b52aeee88e6ae83764e4ff3aebde034585

SHA512
66905eade4b7904a5df10219cc1b443be2f8d7d7e4958f7dc808f6a37115e56bac42171c0b50497787ed3743998af2d6087d596b1a0ceb53a4dfcc0a92842327

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259449735.txt

Filesize
1KB

MD5
bea7b72218fd40d5b5ed18a8da02188f

SHA1
7145406b172898ed54a054e1366cbedc868462d5

SHA256
14650902a9cbc1459860176db323205454e4bc12904295ff0797c79d1195824f

SHA512
f714f3a552b7090a99be6ee5d2001a8d2ac4b7ef7e2d7107ff2672b55bfc24e9fa0d2a90c1468c0be7d440036be42bb248e9fb41a38780b7291299954aa3ef1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE38D.tmp

Filesize
1KB

MD5
a84da4c16338a2e034e33e487d1b91e3

SHA1
288f1426b439289f3448a607c4c318ec7804a404

SHA256
c9087e33d3bc76f7487a4aac1bb309f50ca7ca44bbd700f1837c9020ad847618

SHA512
1b24e2c2f2de7ecb53e4d4730852265ca143ce863b22a6a95b1a15ece75c028dd73109bf039b50d1b8e90bf8869323232ee8aff3c5ddb850e2c14a893ff27cf4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-al4cmcs.0.cs

Filesize
331B

MD5
885120f66ed400cb844051f3b2509cb7

SHA1
1035be96b6ba5e7ed6b5250d097ce2356ef67eae

SHA256
cceab02630d3733fc07e880a371093e9e795095817d72283d2197630a44dcc5e

SHA512
c85b4d69008954eae90f0f1ccf547c7c1f7fa1df22f08afad15aced1af7e0078e1ae82929dbb03b8a4c2b0ca9c40c813b38de532d5c34261a3f11be3196fe97b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-al4cmcs.cmdline

Filesize
309B

MD5
9eac8944c7961b5ea8897e11fd39bd50

SHA1
c3fcc0b37307cae505d3dd86c6f6c15fc7b4bf48

SHA256
c6564720b0d32acd48ce28a11332f40095813840630464fc43459a650cc26c3e

SHA512
40a125fb3274359462d5cfbe3d421daba90197a4a5d2ee45e65f257629afc1ec1a3a2bbac8ae3df716725cc37afabe665ec049b663ecbc2976b26e9705b51997

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE37C.tmp

Filesize
652B

MD5
0d00e248bb272934a3e447c4518697f1

SHA1
effd97fe35e92eea636a351e5822d4e126384dfe

SHA256
c788150050d8c99572b175b42b627cee1c06f4d9384f65894cffd4f1b0333743

SHA512
4d4af69f0d82c05dc594cfc995ecc8abd4248dc8e0516949b8d8e13bd31715e6e30b1022fd553ea0e521dc4f69588ad5d13dac93920622a2e94c9c6543b6637b

Download Submit
memory/1984-8-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1984-10-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1984-9-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1984-4-0x000007FEF5B6E000-0x000007FEF5B6F000-memory.dmp

Filesize
4KB

Download
memory/1984-5-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1984-26-0x0000000002D00000-0x0000000002D08000-memory.dmp

Filesize
32KB

Download
memory/1984-6-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1984-7-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/1984-31-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-16-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2504-24-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download