3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354

Analysis

max time kernel
14s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Night_uac/amsi.ps1
Size

1KB
MD5

ce55b86a579ff526c25fdfeb398fa285
SHA1

134fb6ec72f0123f5111333ca6d4c4a9c125cf67
SHA256

dcc98c13be598654871475b3028f304f2a580b47c9c46531d2793de49f5f8d7d
SHA512

ca4f09c14caee9282006a0a3251b17ab8c5cf3c370b81bb49579437d470d62bcb2b8909c461784d163c57e7ca725ecb1bb86036b401315fd2ff0fedcd8b51f2f

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1956 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1956 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1956 powershell.exe

pid	process
1956	powershell.exe

pid	process
1956	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1956 wrote to memory of 2760	1956	powershell.exe	csc.exe
PID 1956 wrote to memory of 2760	1956	powershell.exe	csc.exe
PID 1956 wrote to memory of 2760	1956	powershell.exe	csc.exe
PID 2760 wrote to memory of 2912	2760	csc.exe	cvtres.exe
PID 2760 wrote to memory of 2912	2760	csc.exe	cvtres.exe
PID 2760 wrote to memory of 2912	2760	csc.exe	cvtres.exe
PID 1956 wrote to memory of 2764	1956	powershell.exe	wermgr.exe
PID 1956 wrote to memory of 2764	1956	powershell.exe	wermgr.exe
PID 1956 wrote to memory of 2764	1956	powershell.exe	wermgr.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Night_uac\amsi.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ved8ly5c.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E1A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E19.tmp"
3⤵
PID:2912

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1956" "1152"
2⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259537363.txt

Filesize
1KB

MD5
81e1e61b0fe34fddc4065158a47a0549

SHA1
40aa0dff66d2344cb32935afff609d23739e3dc9

SHA256
23a93eb6aa257f66280e98d1c3e559179658b4ce5d6bb429b99be78005d61b20

SHA512
5f8adb4dec7e7f3272fc9c52ecc23407ea3c41c9b99f4fc818ad9cacba9b571505a4780d63d98193dd4f1757f2339961416137be7727c5e046418439d5741da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E1A.tmp

Filesize
1KB

MD5
4f8ff0fef7bcbe6dcb3ad83c2bb27301

SHA1
936b1b98ea59208e55959a9aad46e09704c93123

SHA256
0558d071430b0e2d5b41f72075abb6c06c204fce45d3dfa3dfa11301ffaba745

SHA512
034477bcb4f3a39893b058378160e4047675f168f0759f13464ee4f30d7dd72a706073daa62d34c919b9fabceb72cb19adcf40253ce9b467e62cf4fa3a7ac2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ved8ly5c.dll

Filesize
3KB

MD5
4d279f1c0351b35e5515ca5d4153cd35

SHA1
150002c9fb4dc253797038ceb5c05c7a09a70e54

SHA256
31f3397fc45bbabf4d75a006c79331138c026ed1e761071d865104173eb3644d

SHA512
1cee4b1af5d7c701f14e63196a6f0d7034405166f314b92a856138291978174c91935baeb285d0216f40c6277e5cdceced9f0af9044641594847b3aebc70d37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ved8ly5c.pdb

Filesize
7KB

MD5
e629529d4756eb3bb885e2fd3d9bc8e3

SHA1
b4ade120cc55d8ddace40172becc4423ff4f8b8a

SHA256
f07c3241516c05fd938c514b63c9a43f33cd69b2ec06988756bb74c63d7d79e5

SHA512
9a4937a28faebd154d5250d7a5c34cefff597da4ed47fcd2980371a8d563a2737e6046c43243dd3b3678a4ffa08470663bff0b06fb291eb66913a9b34b769f8a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3E19.tmp

Filesize
652B

MD5
bd37116a98a73275096bc1c6d05fb63e

SHA1
afe30256f4abec8b32a04b81e054c44d9c5a4483

SHA256
e1cc51bc3b03e1735039518c256cf921a023fd030b489f75641ccf2eccd39f32

SHA512
a7a12d49f6132c29ad8bf03e25bfb0ccacd2c82bfa45a8901af7dbfe223a03209beac34c5f6f17ff7db4fb68e3583b6ebf2ec3df3fcb4a2991573cb7e74118f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ved8ly5c.0.cs

Filesize
331B

MD5
885120f66ed400cb844051f3b2509cb7

SHA1
1035be96b6ba5e7ed6b5250d097ce2356ef67eae

SHA256
cceab02630d3733fc07e880a371093e9e795095817d72283d2197630a44dcc5e

SHA512
c85b4d69008954eae90f0f1ccf547c7c1f7fa1df22f08afad15aced1af7e0078e1ae82929dbb03b8a4c2b0ca9c40c813b38de532d5c34261a3f11be3196fe97b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ved8ly5c.cmdline

Filesize
309B

MD5
bbe74f7ff6b2a8d1b89aa8af1453cbb8

SHA1
84bbf68ec18f4c173a8b395e57e0f0ecd61cd735

SHA256
db994cba92ba5c407c90462c84561971b3a6b193d0404a8d6861d4a192b0b20d

SHA512
92b561538019b98592b8844cfc187e2616cab81053d39f2dc20c0d1e057829cff3b305b38f191a6c2e1a0e3ffb31726cd58f6bf79c0c81276a38e4f7c9aaa7e2

Download Submit
memory/1956-8-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/1956-13-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/1956-24-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/1956-4-0x000007FEF610E000-0x000007FEF610F000-memory.dmp

Filesize
4KB

Download
memory/1956-29-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/1956-30-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/1956-7-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/1956-22-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/1956-5-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1956-6-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download