Analysis
-
max time kernel
105s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 07:07
Static task
static1
Behavioral task
behavioral1
Sample
ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2.ps1
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2.ps1
Resource
win10v2004-20250314-en
General
-
Target
ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2.ps1
-
Size
1KB
-
MD5
6cedc4e1091b48b0b968acce2fe33fdc
-
SHA1
e0262eb44e82188ec7ff61670603445f1e79b59c
-
SHA256
ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2
-
SHA512
118c1406e3941340862474d2fe2f2d4c3c08baf6e2b691f343b45cfaaa3bd1b242f20be0db20f125c0188f16e4b59e90456e1a01be843d780aa285bc5e128c9e
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 5 5296 powershell.exe 5 5296 powershell.exe 5 5296 powershell.exe 5 5296 powershell.exe 5 5296 powershell.exe 5 5296 powershell.exe 5 5296 powershell.exe 5 5296 powershell.exe 5 5296 powershell.exe 5 5296 powershell.exe -
pid Process 5296 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5296 powershell.exe 5296 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5296 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5296 wrote to memory of 2368 5296 powershell.exe 87 PID 5296 wrote to memory of 2368 5296 powershell.exe 87 PID 2368 wrote to memory of 3224 2368 csc.exe 88 PID 2368 wrote to memory of 3224 2368 csc.exe 88 PID 5296 wrote to memory of 2016 5296 powershell.exe 89 PID 5296 wrote to memory of 2016 5296 powershell.exe 89 PID 2016 wrote to memory of 5032 2016 csc.exe 90 PID 2016 wrote to memory of 5032 2016 csc.exe 90
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5296 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sfl2r43z\sfl2r43z.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8368.tmp" "c:\Users\Admin\AppData\Local\Temp\sfl2r43z\CSC16E6CD66FC4442F3A29E42678DCD857.TMP"3⤵PID:3224
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ogzptlg\4ogzptlg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83F5.tmp" "c:\Users\Admin\AppData\Local\Temp\4ogzptlg\CSCF9E27262FC343708599F7EAAE53FB92.TMP"3⤵PID:5032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58908eda84d890a64eb51ffb357cb1593
SHA1ea733a8e33c5e46e93156404790c0cda89822c53
SHA256d5e40500a92b5954bb1f431b09336ca66d9c26ee5b631fb81960d00a9269cd44
SHA5121aeaab615ae33a65f93a91a2a4b93fe328f36146db648f947b4afba206b5b45d4abdf10384b75afe6ea41732fe439da813399444223e16928fbdc7b4333729ca
-
Filesize
1KB
MD52b325d632cb4ae80dfe41e18d6cb41f6
SHA1c75414bb84a10009e739fa49c88fed729b732b4a
SHA2564400082a092d24d6492e337856ec1f62e05b823a35c3ee0ef12f9745b7949df9
SHA512ee71cabad2936dc06af3fb017f63d139873b35046eebe66515e679c15b3ebea97922ac010e2dbfe0167d905ac5608f6740e3af68497b583b7e97649b09e25432
-
Filesize
1KB
MD59ea54022796e6759cec7a6fe6adb8fd6
SHA1c15b54e01422307cef354600cecd4653de97f357
SHA256b3fe3db62da4177f13093ba5a02db436e1198367154b390ee4e5e690c2b8d685
SHA51290fff283e3ee4e8b4f5037ae75ebafba45b052ff474c561244448bb9b6821e15670f230af8c983d1ca354e03377c65539cf4bc1db6de063737d88090e3370c4f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5efc3404a519be163eb6c55a7ce40584d
SHA1dee1575c1ce25487364095d55ffb1f66400233d8
SHA2565adae3a410fa4ae3877e5ba51bb441600a15af6c680365bf5efc08d261646c72
SHA512c8470861455ea6b15c83ee0ca45107c01cbd79c2ab8d8469acff6d83f30ba00fe87b482efc0f20db28054843ea9e31c669caafb91c7d2726f17a48f7bff5d0a5
-
Filesize
150B
MD521b26009ffb5a7eea15d8317681c193c
SHA116ecf382e8cf2ad5e2279ea34fd44ea134edca6f
SHA256ae177de80f359cd5d4cb1ce59170c2eff01d6bb8912c49523c93976225285c1f
SHA51274e95b0049020333a0cfba4b703fef8af11064d84c6247c21aaccfe2a84e47c5af10300d09b9847ffd9ae50c66925bebffd90aedb1034b402cc138e5185aacac
-
Filesize
369B
MD55d29502199f91e83d86a2d3f99e6edda
SHA1b8c290b3e2ce4affaac99c83e4268a5abf6907b6
SHA25664199027282df10eb13f49573f2c7a3bd27aae9f10acebb07ec53a410a321722
SHA512cea305a45e65099ded29f37c35feb11c2a1c6eeb6892e6577c00ae66014975ed76456d08b7f841921d5e518bfeb7f201bf2b6697470f9e53f17f57b4f49bb5b8
-
Filesize
652B
MD582810957ebeef165611e9129eb0e5da7
SHA13360df86f1c1afc6be3e9c3b3aaa7cc5e639086d
SHA256f4c287cfda6c8c6b36ce902144e3302b526689f729d45bd8c68df25ad056cf9a
SHA5128e941e04b85ec7744b003f1398511cbc816d1be53296b437026a794416dfa96e38510c53232fd6a7f229aca6cb1ccdf0ca17f80cb1d5f2957813786411633f31
-
Filesize
652B
MD58d4db399ca5700b13aea016053770592
SHA1dabb2a723d9144735ed77ae35feabe48e3bde908
SHA256e661aa42ebfd0850095f499b77a8ce4976db3af27b5c1ed2a38d4858c6d934fd
SHA512e642b94357789b3fd5da202baf660d4ff186a0b6796dd6badba93e9fff23ce63f76fc109a8053e13d2cec8444626173d40e7204a799061399a9f57e4e955da67
-
Filesize
232B
MD52a25f8c0fce2643d0bf6dd99b1c7125d
SHA1879eaf1edf6107d0fcc646fcdaa45124b1c828d0
SHA256418ba293d4540a019145ad4632a7def4c35a1945a0367d0766e3c751bf53b47e
SHA512ccfbe628331130c3dad922c3fcd16010651752e31b94e47a253101a1e1f7d24be3572fad64e7e77997d84efd6b9122663d2b8219fdd621ecf104a479ec57bdf8
-
Filesize
369B
MD5c1f4f043ab9578822c4f6c5340e395d0
SHA15e32d07e835a214914bd69341fc407e6c4d7b268
SHA256f3a345724093c8c9e420e65ee6b2cfeea1f4b05bcfa7447ccb9bf3b1ddcf50e3
SHA512335c43ce2f2396538bcb82e82c1abd549686a5fe4e2baf3f9ed2ad278e792856b7cb063ad7ad6ec49e5f1bd4a931fcbc1a7d612179d812dec507a62115f79049