Overview

overview

10

Static

static

10

AnyDesk.exe

windows7-x64

1

AnyDesk.exe

windows10-2004-x64

1

Archevod_XWorm.exe

windows7-x64

10

Archevod_XWorm.exe

windows10-2004-x64

10

ClickMe.lnk

windows7-x64

8

ClickMe.lnk

windows10-2004-x64

8

Cmstp.bat

windows7-x64

10

Cmstp.bat

windows10-2004-x64

10

GoogleChrome.exe

windows7-x64

10

GoogleChrome.exe

windows10-2004-x64

10

Hidden_Und...on.ps1

windows7-x64

8

Hidden_Und...on.ps1

windows10-2004-x64

8

Hidden_magic.vbs

windows7-x64

3

Hidden_magic.vbs

windows10-2004-x64

7

Manage.bat

windows7-x64

1

Manage.bat

windows10-2004-x64

1

Night_uac/...in.ps1

windows7-x64

8

Night_uac/...in.ps1

windows10-2004-x64

8

Night_uac/...ge.ps1

windows7-x64

8

Night_uac/...ge.ps1

windows10-2004-x64

8

Night_uac/...gen.py

windows7-x64

3

Night_uac/...gen.py

windows10-2004-x64

3

Night_uac/amsi.ps1

windows7-x64

3

Night_uac/amsi.ps1

windows10-2004-x64

3

Night_uac/amsi.ps1

windows7-x64

3

Night_uac/amsi.ps1

windows10-2004-x64

3

Night_uac/command.ps1

windows7-x64

3

Night_uac/command.ps1

windows10-2004-x64

3

Night_uac/down.ps1

windows7-x64

8

Night_uac/down.ps1

windows10-2004-x64

8

Night_uac/...gp.ps1

windows7-x64

3

Night_uac/...gp.ps1

windows10-2004-x64

3

Analysis

  • max time kernel
    14s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Night_uac/amsi.ps1

  • Size

    1KB

  • MD5

    ce55b86a579ff526c25fdfeb398fa285

  • SHA1

    134fb6ec72f0123f5111333ca6d4c4a9c125cf67

  • SHA256

    dcc98c13be598654871475b3028f304f2a580b47c9c46531d2793de49f5f8d7d

  • SHA512

    ca4f09c14caee9282006a0a3251b17ab8c5cf3c370b81bb49579437d470d62bcb2b8909c461784d163c57e7ca725ecb1bb86036b401315fd2ff0fedcd8b51f2f

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Night_uac\amsi.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ved8ly5c.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E1A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E19.tmp"
        3⤵
          PID:2912
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "1956" "1152"
        2⤵
          PID:2764

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259537363.txt
        Filesize

        1KB

        MD5

        81e1e61b0fe34fddc4065158a47a0549

        SHA1

        40aa0dff66d2344cb32935afff609d23739e3dc9

        SHA256

        23a93eb6aa257f66280e98d1c3e559179658b4ce5d6bb429b99be78005d61b20

        SHA512

        5f8adb4dec7e7f3272fc9c52ecc23407ea3c41c9b99f4fc818ad9cacba9b571505a4780d63d98193dd4f1757f2339961416137be7727c5e046418439d5741da8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES3E1A.tmp
        Filesize

        1KB

        MD5

        4f8ff0fef7bcbe6dcb3ad83c2bb27301

        SHA1

        936b1b98ea59208e55959a9aad46e09704c93123

        SHA256

        0558d071430b0e2d5b41f72075abb6c06c204fce45d3dfa3dfa11301ffaba745

        SHA512

        034477bcb4f3a39893b058378160e4047675f168f0759f13464ee4f30d7dd72a706073daa62d34c919b9fabceb72cb19adcf40253ce9b467e62cf4fa3a7ac2e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ved8ly5c.dll
        Filesize

        3KB

        MD5

        4d279f1c0351b35e5515ca5d4153cd35

        SHA1

        150002c9fb4dc253797038ceb5c05c7a09a70e54

        SHA256

        31f3397fc45bbabf4d75a006c79331138c026ed1e761071d865104173eb3644d

        SHA512

        1cee4b1af5d7c701f14e63196a6f0d7034405166f314b92a856138291978174c91935baeb285d0216f40c6277e5cdceced9f0af9044641594847b3aebc70d37d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ved8ly5c.pdb
        Filesize

        7KB

        MD5

        e629529d4756eb3bb885e2fd3d9bc8e3

        SHA1

        b4ade120cc55d8ddace40172becc4423ff4f8b8a

        SHA256

        f07c3241516c05fd938c514b63c9a43f33cd69b2ec06988756bb74c63d7d79e5

        SHA512

        9a4937a28faebd154d5250d7a5c34cefff597da4ed47fcd2980371a8d563a2737e6046c43243dd3b3678a4ffa08470663bff0b06fb291eb66913a9b34b769f8a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC3E19.tmp
        Filesize

        652B

        MD5

        bd37116a98a73275096bc1c6d05fb63e

        SHA1

        afe30256f4abec8b32a04b81e054c44d9c5a4483

        SHA256

        e1cc51bc3b03e1735039518c256cf921a023fd030b489f75641ccf2eccd39f32

        SHA512

        a7a12d49f6132c29ad8bf03e25bfb0ccacd2c82bfa45a8901af7dbfe223a03209beac34c5f6f17ff7db4fb68e3583b6ebf2ec3df3fcb4a2991573cb7e74118f3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ved8ly5c.0.cs
        Filesize

        331B

        MD5

        885120f66ed400cb844051f3b2509cb7

        SHA1

        1035be96b6ba5e7ed6b5250d097ce2356ef67eae

        SHA256

        cceab02630d3733fc07e880a371093e9e795095817d72283d2197630a44dcc5e

        SHA512

        c85b4d69008954eae90f0f1ccf547c7c1f7fa1df22f08afad15aced1af7e0078e1ae82929dbb03b8a4c2b0ca9c40c813b38de532d5c34261a3f11be3196fe97b

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\ved8ly5c.cmdline
        Filesize

        309B

        MD5

        bbe74f7ff6b2a8d1b89aa8af1453cbb8

        SHA1

        84bbf68ec18f4c173a8b395e57e0f0ecd61cd735

        SHA256

        db994cba92ba5c407c90462c84561971b3a6b193d0404a8d6861d4a192b0b20d

        SHA512

        92b561538019b98592b8844cfc187e2616cab81053d39f2dc20c0d1e057829cff3b305b38f191a6c2e1a0e3ffb31726cd58f6bf79c0c81276a38e4f7c9aaa7e2

        Download Submit

      • memory/1956-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1956-13-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1956-24-0x00000000029E0000-0x00000000029E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1956-4-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1956-29-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1956-30-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1956-7-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1956-22-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1956-5-0x000000001B590000-0x000000001B872000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1956-6-0x0000000002040000-0x0000000002048000-memory.dmp

        Filesize

        32KB

        Download