037289c207c8e229d728f247c2d7eb1459fb4413fcd4fe662f74c711169a1e08

Analysis

max time kernel
14s
max time network
62s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

void/469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
Size

951B
MD5

991bfc052219f7e9b6e77e2268c08947
SHA1

c6e8df55948ed92caa0401c28dfeb474c02136ef
SHA256

469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b
SHA512

bf7a963c06de9f3f66eb568f94bdeda1ea0236c39d8db768e7ecb942018fc1d7effc42295acebb114b7f40bdae5d72756eb1413d7221577bf202051fb7123fd4

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2140	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
3	2140	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2140	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2868	2140	powershell.exe	30
PID 2140 wrote to memory of 2868	2140	powershell.exe	30
PID 2140 wrote to memory of 2868	2140	powershell.exe	30
PID 2868 wrote to memory of 2816	2868	csc.exe	31
PID 2868 wrote to memory of 2816	2868	csc.exe	31
PID 2868 wrote to memory of 2816	2868	csc.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\void\469a30082aeff1c7367a5c98d83d4230947500771e86738903a026859f870f1b.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\urpfnc-e.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5AC.tmp"
    3⤵
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5BC.tmp

Filesize
1KB

MD5
3cd94c3842f886b5d8b3a26a0d3e4965

SHA1
a6f82c89d0dce30bcf88d73086c1b2969d4493cc

SHA256
484dfdd0580577bab9403a8a410b84bb1a6a439830534cbfa4dd267d4fde4ed2

SHA512
9f3893eb0bccf68ea10680820ba0fa38815de67e76248473511bc3da0d182b076db2ef6409771ea9377c6e521223a077fae39e61d53d623467bb66f8367c541f

Download Submit
C:\Users\Admin\AppData\Local\Temp\urpfnc-e.dll

Filesize
3KB

MD5
015e29073974a42a9d4e73fbd538dd75

SHA1
33dda4d07fe35f50e8e33034df48af6f0dbdb531

SHA256
89ed7d5cbbb641a3c4cb882de2cc5b9dc11021452b998bf24ef12ce458fdfd97

SHA512
a0bc0f5d094faf436910029b5e2123a807a071aaa6ecc485fd79b70f984777ccac06cee913654bc79326256845b8514258d05c9364aae7fd22231edfa2de438c

Download Submit
C:\Users\Admin\AppData\Local\Temp\urpfnc-e.pdb

Filesize
7KB

MD5
58e3934a88a4063d1fe20d8be171b890

SHA1
282d44966482fcb5acab79208b4d7fb6111e40d2

SHA256
ddb96276b99ec418c052ff613e1d46c1c842a09071b6958487fa49773c25c5e9

SHA512
8de909b7c6fc8a7c42843c864b094cdea835e24777f75bc3a0329d6ec3e88aef6febe7f8894f0f6ced77afd05cafc6513496e1c5111d346e3cc691c323f7174e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5AC.tmp

Filesize
652B

MD5
6f2b05888f6cb305db3806aaa3986e27

SHA1
05d7dcb87485713d8aa386033e979f92d3e8e073

SHA256
5228d2482dfac8f915c136e43d55772143772b90f661ea8569a77559d8755d6d

SHA512
8669cf43352ab10cb0727df89fe1e50ee7a3e2ed6277776f3c8eaa389cf2e2bda708680f6b183cf5c21b03ca234b03e376c345c0492530411ef118ad4f9315ea

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\urpfnc-e.0.cs

Filesize
470B

MD5
fc199e95b98fd2bef9dc8c75ac49fd5c

SHA1
389c49f099b5da6b47d07e9de292d553c6713f83

SHA256
c443f29fb2f6d18f4cb0813c178248952b8856a8e27a157ce046e7eecd99604f

SHA512
07b4af2f464e011646d0deb2bd1639cc0ade38b507b84230ee3d4863416a6a9c9d9e6678a438ae203bd534adbe1160198c6575d87f8a88ce440aefd1d018d7ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\urpfnc-e.cmdline

Filesize
309B

MD5
96f684f86af7e83cbfdf56cd134ad6d0

SHA1
d060d97b89325a2a0977eee42df0d94482384939

SHA256
6cd217f78ebdf0b94979f1a2086254b3b85f0c34f5fcb265adb1594edadb2dbf

SHA512
aaefd009d2ac73db71a2e812df7ddeadf60bfaf55a567fa7c10822d8ef4e714c0f006d254749c7bdf47eb761902f10b2e09ea9bad441521ada5c897ad320ed11

Download Submit
memory/2140-23-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

Filesize
32KB

Download
memory/2140-14-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-7-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2140-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

Filesize
4KB

Download
memory/2140-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2140-26-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

Filesize
4KB

Download
memory/2140-27-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download