Overview

overview

10

Static

static

3

QuarkPC.exe

windows11-21h2-x64

10

$APPDATA/P...gs.vbs

windows11-21h2-x64

3

$APPDATA/P...ns.ps1

windows11-21h2-x64

3

$APPDATA/P...te.dll

windows11-21h2-x64

3

$LOCALAPPD..._R.exe

windows11-21h2-x64

5

$LOCALAPPD...32.exe

windows11-21h2-x64

3

$PLUGINSDI...ns.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...ec.dll

windows11-21h2-x64

3

$WINDIR/Text.ps1

windows11-21h2-x64

3

QuarkPC.exe

windows11-21h2-x64

4

Resubmissions

31/03/2025, 15:25

250331-st3p2svps7 10

Analysis

  • max time kernel
    1s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/03/2025, 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $WINDIR/Text.ps1

  • Size

    3KB

  • MD5

    d81a1c714c1e6c3ec4d4eb8c3649a336

  • SHA1

    4a4e9167989b8d637f36a3201b18ca4767acb8fe

  • SHA256

    d5da1e586d322da67f0c1136968ab5dab2acf387e145acc199027c343630bc2d

  • SHA512

    94e6b437e05f8ded151f9303a25321307a246b7373908450b4272da1b9e7b6305bf7e2a7980d190fe73f261c92a9cc18e42e4bee94ce9e085b23dbc06b8314c5

Score
3/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$WINDIR\Text.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:6032
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ydfrhglh\ydfrhglh.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95F.tmp" "c:\Users\Admin\AppData\Local\Temp\ydfrhglh\CSCBC28FA7391A449B996DE4A3EB5FAE079.TMP"
        3⤵
          PID:4140

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESA95F.tmp
      Filesize

      1KB

      MD5

      8d919803cfdc9680c12b8952bf19c226

      SHA1

      b0cf03137a508d1ac6c10c097e3060c29de14b7f

      SHA256

      780d43ecae8a8b3c19f27f6f11c255406492778038cdfdfb8e25cb5075cde74b

      SHA512

      70f91ccbb2d37c0cda1888971ca3494edf7af6d714fa53fe5dc990a1cdaec9a1c728e102b466f5fd4c5894d6e855df1969f3d83a5a4a22461fbb60d544d77bc6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_akpx1jma.dwn.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ydfrhglh\ydfrhglh.dll
      Filesize

      3KB

      MD5

      71c13ee22c5a08b794863fbc09e6bbf6

      SHA1

      30228704be43becff6059f9fe6c3d77e85583005

      SHA256

      e07a64eea9a95bcc7623ebe8b75e73ffed1b569d1d07bc64718a5e5dfd914803

      SHA512

      374ba38daf54e86d457906afa26e45699a7a1f45f413fd66e523886a30e7064e7eb8eb0c99c8121a4a6efdb37b76940260b046a20352b829be8b905954b089c5

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ydfrhglh\CSCBC28FA7391A449B996DE4A3EB5FAE079.TMP
      Filesize

      652B

      MD5

      5a7f0ac3f5fd69431d9a163f52071b70

      SHA1

      b05a4df47967629a4675c31a1e4d5984daddb5b6

      SHA256

      bf1b0fda75e3d2fb7f1e08790d93bb4750bd846e7ae48b0c18d9c8d4b2158dda

      SHA512

      b7a83558d5fb23930d4644994c002cb8d7d4e4699ab41235e36aac072fc358955d8b1b5db443d08899bdfb74b49f90b9f4ca68f8922fa61206436bf88c11fa50

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ydfrhglh\ydfrhglh.0.cs
      Filesize

      400B

      MD5

      c62e9d98205e8931873feeadf9d05f79

      SHA1

      d9b9dbb2cfe76d2f2e1e67114ceed22feed31f2e

      SHA256

      14b29bc0d217e928264a97843c602431bb7e8b4df986b5605003dded602db410

      SHA512

      43294d4afdfc7e0e14bb83ad024665684709941de12426fdc155c6c77916102eacba551e6d0dd2f077c28e225cd7f5bf6d52cd550086c010d2ed00fc63490d89

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\ydfrhglh\ydfrhglh.cmdline
      Filesize

      369B

      MD5

      e3d90ee1e665425ef45b1bbb9213caa0

      SHA1

      771f27e929ddf79489b35e971463b90bd33dd98a

      SHA256

      76e990b931d1255db7541a9ce61d85b544baecff414411e2619a6beb6869eda8

      SHA512

      adbbfc885de9ca962e234b2cbd01b5131ad1e915a3001fea0afbec8fa41fb67e1af7cb9c64e22147bcf392d3aeb64e663c4a63d5f07982fd2416e5ae6c07397a

      Download Submit

    • memory/6032-0-0x00007FFF474B3000-0x00007FFF474B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/6032-9-0x00000206C49B0000-0x00000206C49D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/6032-10-0x00007FFF474B0000-0x00007FFF47F72000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6032-11-0x00007FFF474B0000-0x00007FFF47F72000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6032-12-0x00007FFF474B0000-0x00007FFF47F72000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6032-25-0x00000206C48F0000-0x00000206C48F8000-memory.dmp

      Filesize

      32KB

      Download