Analysis

  • max time kernel
    140s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 17:21

General

  • Target

    Night_uac/amsi.ps1

  • Size

    1KB

  • MD5

    ce55b86a579ff526c25fdfeb398fa285

  • SHA1

    134fb6ec72f0123f5111333ca6d4c4a9c125cf67

  • SHA256

    dcc98c13be598654871475b3028f304f2a580b47c9c46531d2793de49f5f8d7d

  • SHA512

    ca4f09c14caee9282006a0a3251b17ab8c5cf3c370b81bb49579437d470d62bcb2b8909c461784d163c57e7ca725ecb1bb86036b401315fd2ff0fedcd8b51f2f

Score
3/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Night_uac\amsi.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3dijakwu\3dijakwu.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BF4.tmp" "c:\Users\Admin\AppData\Local\Temp\3dijakwu\CSCF850C0BE91D54B0291AA25A262B8BC5E.TMP"
        3⤵
          PID:3400
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4608" "2248" "2192" "2252" "0" "0" "2256" "0" "0" "0" "0" "0"
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3dijakwu\3dijakwu.dll

      Filesize

      3KB

      MD5

      71df1d0c90c3ad75c84aa1000adc9fa3

      SHA1

      318faf5bf597011063c615369a41afab4ef2c1bc

      SHA256

      8c3900788b45c4589a4b219240e745ba3f73026859d299117c49b591088a5db3

      SHA512

      44368b97dd7ffcda052b7bb9afb7dbcd190ab5f759f3a3af9eb3dc507678d208b33cec1aa55de7f232ff243b7fbde8dc013e80f1c6f467cd40cae579cea6fe3d

    • C:\Users\Admin\AppData\Local\Temp\RES8BF4.tmp

      Filesize

      1KB

      MD5

      82d020b9d6f0901deb30cc8e41724671

      SHA1

      bd7dbc6ce56dd9173d910e2eb306c908b1fd72b8

      SHA256

      6d6efd6b0e51748ef48ea38b134b9909c18de535a9a58517f5d1ffcdfe0c579f

      SHA512

      020c3d762e01c4851bc6bd82a11a715fc86ace4dd8c2fab1cd1a49af66de4a693ea1df1111fb10a37593eb3c42b38cbe76ac9ad841e1864654015b7b27d65f98

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebaez30t.n4h.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • \??\c:\Users\Admin\AppData\Local\Temp\3dijakwu\3dijakwu.0.cs

      Filesize

      331B

      MD5

      885120f66ed400cb844051f3b2509cb7

      SHA1

      1035be96b6ba5e7ed6b5250d097ce2356ef67eae

      SHA256

      cceab02630d3733fc07e880a371093e9e795095817d72283d2197630a44dcc5e

      SHA512

      c85b4d69008954eae90f0f1ccf547c7c1f7fa1df22f08afad15aced1af7e0078e1ae82929dbb03b8a4c2b0ca9c40c813b38de532d5c34261a3f11be3196fe97b

    • \??\c:\Users\Admin\AppData\Local\Temp\3dijakwu\3dijakwu.cmdline

      Filesize

      369B

      MD5

      62400ede862c00acdea7125900590c3b

      SHA1

      9aab4e43dd119a6d5da2a9cf069f3212b3ec2fd6

      SHA256

      5b27669db26f593ade4082a085e1c236ddf54ca4ee0a982c59297bf2f409d5b8

      SHA512

      cddc7d2553467366e6e5c04ba2adb88f45e0786dccfefa3603077dba15805811d074bf5acb1462a7bf339dcc61bc7adc7eb2f6f23b8cede5b14df2a86ae6cfb2

    • \??\c:\Users\Admin\AppData\Local\Temp\3dijakwu\CSCF850C0BE91D54B0291AA25A262B8BC5E.TMP

      Filesize

      652B

      MD5

      8cfbb272cbefd8e09d360671d1a8abbe

      SHA1

      01cd0f10acb959270ed9afaf5a8de1b8dc7170f9

      SHA256

      aa48dee7c98352bf5f5a1c9b4d6508356526f36526b60082e5e5f5dec9098ee8

      SHA512

      d2dee5987fd295b7384b48e63dc26aa84e95fee7c1113e3ba27cfb5185a1338ab141a2e3bcbab92d08ed80a1148c6997dca5a51184faa35eafdd3a6701a6da40

    • memory/4608-11-0x00007FFA2F170000-0x00007FFA2FC31000-memory.dmp

      Filesize

      10.8MB

    • memory/4608-12-0x00007FFA2F170000-0x00007FFA2FC31000-memory.dmp

      Filesize

      10.8MB

    • memory/4608-0-0x00007FFA2F173000-0x00007FFA2F175000-memory.dmp

      Filesize

      8KB

    • memory/4608-25-0x000002BA04D80000-0x000002BA04D88000-memory.dmp

      Filesize

      32KB

    • memory/4608-10-0x000002BA1D760000-0x000002BA1D782000-memory.dmp

      Filesize

      136KB

    • memory/4608-35-0x000002BA1D2A0000-0x000002BA1D4BC000-memory.dmp

      Filesize

      2.1MB

    • memory/4608-36-0x00007FFA2F170000-0x00007FFA2FC31000-memory.dmp

      Filesize

      10.8MB