Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 17:21

General

  • Target

    Night_uac/amsi.ps1

  • Size

    1KB

  • MD5

    ab586dd0a3d8dc473e8a12a5a4c6a484

  • SHA1

    247455520a6b3706355e6afc4815fc0fbec331c4

  • SHA256

    e4519785cbdda3fe7f85b3e0ef1bfd0bb857966dcc9fd7e62bd028b04a35cda3

  • SHA512

    898dfc95b3016a8c8ec164ddff5b5b58aa3470802f5cc9265837dc1d4356de251fa256ff6dd130e39399ab24ebe903172dee214fc9b3e36be04d0ef654b9fb20

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Night_uac\amsi.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1kgn4znx\1kgn4znx.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AAA.tmp" "c:\Users\Admin\AppData\Local\Temp\1kgn4znx\CSCA24E535DA624FD6AB9E529C92B4EB7.TMP"
        3⤵
          PID:3248
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2300" "2164" "2116" "2168" "0" "0" "2172" "0" "0" "0" "0" "0"
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1kgn4znx\1kgn4znx.dll

      Filesize

      3KB

      MD5

      774852929bd59975162f74217de4d7b9

      SHA1

      b839bc8019257000677a7ea1654948f2a624f33e

      SHA256

      8fc229c350f12732ee3e46898029b12c0a4c7ce4e759c5ab1d6be3b1836ce9f6

      SHA512

      fb6b54e4e53cc05e67065b43dd7ce28ab32f01a5c8ad3071e03d5cfc51477ddef90bc29460b723b93a8fd0e4232a22e99b8c27e49e9a4d7952875f424b431a35

    • C:\Users\Admin\AppData\Local\Temp\RES9AAA.tmp

      Filesize

      1KB

      MD5

      bb1e34500d9df0cc59452d5c5a4e00c0

      SHA1

      fa0cbeceb66b538b1640d3bbca61a5b87c28df0a

      SHA256

      2c5c944bd8f35b20a0a7ab222ee8d05498c0a42d2932e03e9bd0cf3fbd7bda11

      SHA512

      931fb5f3f51e753ac72b0ab8ea2a173f6de4c6f804facfb8ebdcbc8868814c02f329e915c6dd38c2a5ef06725aaba1c220cb57645e378013bc2e700270f26e28

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1m3wohf.h13.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • \??\c:\Users\Admin\AppData\Local\Temp\1kgn4znx\1kgn4znx.0.cs

      Filesize

      331B

      MD5

      885120f66ed400cb844051f3b2509cb7

      SHA1

      1035be96b6ba5e7ed6b5250d097ce2356ef67eae

      SHA256

      cceab02630d3733fc07e880a371093e9e795095817d72283d2197630a44dcc5e

      SHA512

      c85b4d69008954eae90f0f1ccf547c7c1f7fa1df22f08afad15aced1af7e0078e1ae82929dbb03b8a4c2b0ca9c40c813b38de532d5c34261a3f11be3196fe97b

    • \??\c:\Users\Admin\AppData\Local\Temp\1kgn4znx\1kgn4znx.cmdline

      Filesize

      369B

      MD5

      7819f0b71a42a9ad1c9eb38205ecec7d

      SHA1

      79d5b7aad9dca5fd1db46b2c81d53bd43088a534

      SHA256

      0b0f4c7931edbd36b7b7bb9d9d486dfb6ed58ded3d755f821852d0de0939fb77

      SHA512

      345eb41db9af4abf049c64afc51b6c52d4e533c6d117f839887ed2789d9dea2eb0c884f57e118bd6b7d7f6d7cf68a313ac356aa2e00b02451105feb2af8edad9

    • \??\c:\Users\Admin\AppData\Local\Temp\1kgn4znx\CSCA24E535DA624FD6AB9E529C92B4EB7.TMP

      Filesize

      652B

      MD5

      132513abd7206a3d33e935d35ef1131e

      SHA1

      031722eaaa930674a67b745bcd56cfaf47178a7d

      SHA256

      aeb870c2a6de119f1e7e9ec900b5a373ebf960408095d5a344483c8e197dd5e8

      SHA512

      383cf63c24dbddfaee7d748ef8f8ebca6f8839bd28a803257c688bb2d814fb2afa7406d0c19cc458883df120e7e56356f7386caf69ebf6a62ba89bd9daea0045

    • memory/2300-0-0x00007FFB28113000-0x00007FFB28115000-memory.dmp

      Filesize

      8KB

    • memory/2300-1-0x0000023ABFE50000-0x0000023ABFE72000-memory.dmp

      Filesize

      136KB

    • memory/2300-11-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

      Filesize

      10.8MB

    • memory/2300-12-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

      Filesize

      10.8MB

    • memory/2300-25-0x0000023AA58E0000-0x0000023AA58E8000-memory.dmp

      Filesize

      32KB

    • memory/2300-35-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

      Filesize

      10.8MB