ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2

Analysis

max time kernel
105s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2.ps1
Size

1KB
MD5

6cedc4e1091b48b0b968acce2fe33fdc
SHA1

e0262eb44e82188ec7ff61670603445f1e79b59c
SHA256

ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2
SHA512

118c1406e3941340862474d2fe2f2d4c3c08baf6e2b691f343b45cfaaa3bd1b242f20be0db20f125c0188f16e4b59e90456e1a01be843d780aa285bc5e128c9e

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	5296	powershell.exe
5	5296	powershell.exe
5	5296	powershell.exe
5	5296	powershell.exe
5	5296	powershell.exe
5	5296	powershell.exe
5	5296	powershell.exe
5	5296	powershell.exe
5	5296	powershell.exe
5	5296	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5296	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5296	powershell.exe
5296	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5296	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5296 wrote to memory of 2368	5296	powershell.exe	87
PID 5296 wrote to memory of 2368	5296	powershell.exe	87
PID 2368 wrote to memory of 3224	2368	csc.exe	88
PID 2368 wrote to memory of 3224	2368	csc.exe	88
PID 5296 wrote to memory of 2016	5296	powershell.exe	89
PID 5296 wrote to memory of 2016	5296	powershell.exe	89
PID 2016 wrote to memory of 5032	2016	csc.exe	90
PID 2016 wrote to memory of 5032	2016	csc.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ba42734309c09becd02d7316b10d300b569295af525143c7226e41d134b804f2.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sfl2r43z\sfl2r43z.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8368.tmp" "c:\Users\Admin\AppData\Local\Temp\sfl2r43z\CSC16E6CD66FC4442F3A29E42678DCD857.TMP"
    3⤵
    PID:3224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ogzptlg\4ogzptlg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83F5.tmp" "c:\Users\Admin\AppData\Local\Temp\4ogzptlg\CSCF9E27262FC343708599F7EAAE53FB92.TMP"
    3⤵
    PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ogzptlg\4ogzptlg.dll

Filesize
3KB

MD5
8908eda84d890a64eb51ffb357cb1593

SHA1
ea733a8e33c5e46e93156404790c0cda89822c53

SHA256
d5e40500a92b5954bb1f431b09336ca66d9c26ee5b631fb81960d00a9269cd44

SHA512
1aeaab615ae33a65f93a91a2a4b93fe328f36146db648f947b4afba206b5b45d4abdf10384b75afe6ea41732fe439da813399444223e16928fbdc7b4333729ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8368.tmp

Filesize
1KB

MD5
2b325d632cb4ae80dfe41e18d6cb41f6

SHA1
c75414bb84a10009e739fa49c88fed729b732b4a

SHA256
4400082a092d24d6492e337856ec1f62e05b823a35c3ee0ef12f9745b7949df9

SHA512
ee71cabad2936dc06af3fb017f63d139873b35046eebe66515e679c15b3ebea97922ac010e2dbfe0167d905ac5608f6740e3af68497b583b7e97649b09e25432

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES83F5.tmp

Filesize
1KB

MD5
9ea54022796e6759cec7a6fe6adb8fd6

SHA1
c15b54e01422307cef354600cecd4653de97f357

SHA256
b3fe3db62da4177f13093ba5a02db436e1198367154b390ee4e5e690c2b8d685

SHA512
90fff283e3ee4e8b4f5037ae75ebafba45b052ff474c561244448bb9b6821e15670f230af8c983d1ca354e03377c65539cf4bc1db6de063737d88090e3370c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itusqtdn.a1o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfl2r43z\sfl2r43z.dll

Filesize
3KB

MD5
efc3404a519be163eb6c55a7ce40584d

SHA1
dee1575c1ce25487364095d55ffb1f66400233d8

SHA256
5adae3a410fa4ae3877e5ba51bb441600a15af6c680365bf5efc08d261646c72

SHA512
c8470861455ea6b15c83ee0ca45107c01cbd79c2ab8d8469acff6d83f30ba00fe87b482efc0f20db28054843ea9e31c669caafb91c7d2726f17a48f7bff5d0a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ogzptlg\4ogzptlg.0.cs

Filesize
150B

MD5
21b26009ffb5a7eea15d8317681c193c

SHA1
16ecf382e8cf2ad5e2279ea34fd44ea134edca6f

SHA256
ae177de80f359cd5d4cb1ce59170c2eff01d6bb8912c49523c93976225285c1f

SHA512
74e95b0049020333a0cfba4b703fef8af11064d84c6247c21aaccfe2a84e47c5af10300d09b9847ffd9ae50c66925bebffd90aedb1034b402cc138e5185aacac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ogzptlg\4ogzptlg.cmdline

Filesize
369B

MD5
5d29502199f91e83d86a2d3f99e6edda

SHA1
b8c290b3e2ce4affaac99c83e4268a5abf6907b6

SHA256
64199027282df10eb13f49573f2c7a3bd27aae9f10acebb07ec53a410a321722

SHA512
cea305a45e65099ded29f37c35feb11c2a1c6eeb6892e6577c00ae66014975ed76456d08b7f841921d5e518bfeb7f201bf2b6697470f9e53f17f57b4f49bb5b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4ogzptlg\CSCF9E27262FC343708599F7EAAE53FB92.TMP

Filesize
652B

MD5
82810957ebeef165611e9129eb0e5da7

SHA1
3360df86f1c1afc6be3e9c3b3aaa7cc5e639086d

SHA256
f4c287cfda6c8c6b36ce902144e3302b526689f729d45bd8c68df25ad056cf9a

SHA512
8e941e04b85ec7744b003f1398511cbc816d1be53296b437026a794416dfa96e38510c53232fd6a7f229aca6cb1ccdf0ca17f80cb1d5f2957813786411633f31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfl2r43z\CSC16E6CD66FC4442F3A29E42678DCD857.TMP

Filesize
652B

MD5
8d4db399ca5700b13aea016053770592

SHA1
dabb2a723d9144735ed77ae35feabe48e3bde908

SHA256
e661aa42ebfd0850095f499b77a8ce4976db3af27b5c1ed2a38d4858c6d934fd

SHA512
e642b94357789b3fd5da202baf660d4ff186a0b6796dd6badba93e9fff23ce63f76fc109a8053e13d2cec8444626173d40e7204a799061399a9f57e4e955da67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfl2r43z\sfl2r43z.0.cs

Filesize
232B

MD5
2a25f8c0fce2643d0bf6dd99b1c7125d

SHA1
879eaf1edf6107d0fcc646fcdaa45124b1c828d0

SHA256
418ba293d4540a019145ad4632a7def4c35a1945a0367d0766e3c751bf53b47e

SHA512
ccfbe628331130c3dad922c3fcd16010651752e31b94e47a253101a1e1f7d24be3572fad64e7e77997d84efd6b9122663d2b8219fdd621ecf104a479ec57bdf8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfl2r43z\sfl2r43z.cmdline

Filesize
369B

MD5
c1f4f043ab9578822c4f6c5340e395d0

SHA1
5e32d07e835a214914bd69341fc407e6c4d7b268

SHA256
f3a345724093c8c9e420e65ee6b2cfeea1f4b05bcfa7447ccb9bf3b1ddcf50e3

SHA512
335c43ce2f2396538bcb82e82c1abd549686a5fe4e2baf3f9ed2ad278e792856b7cb063ad7ad6ec49e5f1bd4a931fcbc1a7d612179d812dec507a62115f79049

Download Submit
memory/5296-11-0x00007FFDE83D0000-0x00007FFDE8E91000-memory.dmp

Filesize
10.8MB

Download
memory/5296-0-0x00007FFDE83D3000-0x00007FFDE83D5000-memory.dmp

Filesize
8KB

Download
memory/5296-25-0x000002F047AB0000-0x000002F047AB8000-memory.dmp

Filesize
32KB

Download
memory/5296-40-0x000002F05FED0000-0x000002F05FED8000-memory.dmp

Filesize
32KB

Download
memory/5296-6-0x000002F05FE80000-0x000002F05FEA2000-memory.dmp

Filesize
136KB

Download
memory/5296-12-0x00007FFDE83D0000-0x00007FFDE8E91000-memory.dmp

Filesize
10.8MB

Download
memory/5296-42-0x00007FFDE83D0000-0x00007FFDE8E91000-memory.dmp

Filesize
10.8MB

Download
memory/5296-43-0x00007FFDE83D3000-0x00007FFDE83D5000-memory.dmp

Filesize
8KB

Download
memory/5296-44-0x00007FFDE83D0000-0x00007FFDE8E91000-memory.dmp

Filesize
10.8MB

Download
memory/5296-47-0x00007FFDE83D0000-0x00007FFDE8E91000-memory.dmp

Filesize
10.8MB

Download