82f016b7f71f4eb3e5dc93f1dbc8d44f2fca707107e5e86b64de356ffc92ca6b

Resubmissions

31/03/2025, 15:25

250331-st3p2svps7 10

Analysis

max time kernel
3s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
31/03/2025, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$APPDATA/Promotions/Promotions.ps1
Size

1KB
MD5

b582c83dc8ef6202e1d0495aa152e4c2
SHA1

beca619e1c0e0e987395002a797f08dc3657d1fd
SHA256

e07d9c1dfa78fa62b7fe0e9aeaa5b6b41d97ca82aead6a92dbfae24e135075f1
SHA512

9ec4f95d47890802d9cb2ca889db7ad28dc65c5a710ffbc4fdb7ce63cd9fec308be6e86b2e31ee9e671df4c17afbe01fd329953b0d185e3d502ae462c97b6daf

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1072	PowerShell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1072	PowerShell.exe
1072	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	PowerShell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 456	1072	PowerShell.exe	79
PID 1072 wrote to memory of 456	1072	PowerShell.exe	79
PID 456 wrote to memory of 2724	456	csc.exe	80
PID 456 wrote to memory of 2724	456	csc.exe	80

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$APPDATA\Promotions\Promotions.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v5aiijyu\v5aiijyu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES830B.tmp" "c:\Users\Admin\AppData\Local\Temp\v5aiijyu\CSCDA6BF6E1F94A4DC48FBC60AA73DD27E1.TMP"
    3⤵
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES830B.tmp

Filesize
1KB

MD5
3f987ca95639ab97faa4940ddb70321d

SHA1
444221034337ee6da3be8d8dec30e8ccfded77be

SHA256
c3d5d4be9e311701e743c6d9e998d128f9e77e49d5a29290a8251e2142e03fbf

SHA512
f3432d0f24ce72c1e495036f19a25f10a6fa0690e00158acb05039698039bf4aa626aff070069eebe5d893470881620d1e9f70ca3e01b3de8ed7ae20c4a9c344

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hl4vt5pe.qt1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5aiijyu\v5aiijyu.dll

Filesize
3KB

MD5
f1f75a1e26fd5843002b4dbd7dd1a876

SHA1
a9ff0fb5fbdd2e80c68cfd1f4f7ca4c86564aee0

SHA256
bcd87225333893769779401d1591036636865756d121a335e71e2aa1d52bc3d7

SHA512
7f56c8782aba4a9f5b62b924ce4f721cc9acbf24ad2aec1db5db29924d0dc58383adb8aa0e13c7fd64c69cfcf4c4f253bed3b21af7bde7b5c67c26efabf4be17

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v5aiijyu\CSCDA6BF6E1F94A4DC48FBC60AA73DD27E1.TMP

Filesize
652B

MD5
317b06805421cf59a8e6a53fe04c16d0

SHA1
bca3fa455fbeb710a14d2fd1c2d2fc92a6eabbbf

SHA256
7c4f75337a99709c88ea2336228ede3efaaf3c1f6cb9f1c44e3ce882a7ad78d1

SHA512
cd538f6c08b0f9e0654527d7faa28d01b5ad7d6fe757da35db3fb755cdba45210aadb02fe26b25f3f6ff5e515a7113bbf360b0836fd7b7fa048049c35667aaac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v5aiijyu\v5aiijyu.0.cs

Filesize
267B

MD5
aec6e734a848ecbe165ae3e66cc98f33

SHA1
1ff3a36995c27422af9e6694ce219de98690597b

SHA256
290e34b62c47a02f197451e89699d8e24ed6e8b8d69038fd834a34b3546b3ba3

SHA512
c1033992cf9c4ecb6a7170f7995a0e4d87a91cf240e6cc48054b6157e380c83c68087b05de90a401e4fc91b3434d8679c23eb8a8147cbc6e1009ae7318dc5188

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\v5aiijyu\v5aiijyu.cmdline

Filesize
369B

MD5
f8310406532411494c5443d88dadbd72

SHA1
d2b17f8d1b8f1778ca1bd037ea68b9a5d7ec6e69

SHA256
37a0937ab1354fb4f313c1416c9296d546db367baf3f5cf665d8815434570272

SHA512
73bdb7021a3b544683755f9c6455367824872b68ba986bb34bd1c6b1ae00c6f48337f79821876f14b7e5cfea7f81213dc48a937622d22fd98da60f3ea03c6bc6

Download Submit
memory/1072-0-0x00007FF9C8F03000-0x00007FF9C8F05000-memory.dmp

Filesize
8KB

Download
memory/1072-13-0x00007FF9C8F00000-0x00007FF9C99C2000-memory.dmp

Filesize
10.8MB

Download
memory/1072-11-0x00007FF9C8F00000-0x00007FF9C99C2000-memory.dmp

Filesize
10.8MB

Download
memory/1072-10-0x0000022B5DB00000-0x0000022B5DB22000-memory.dmp

Filesize
136KB

Download
memory/1072-9-0x00007FF9C8F00000-0x00007FF9C99C2000-memory.dmp

Filesize
10.8MB

Download
memory/1072-26-0x0000022B5DAF0000-0x0000022B5DAF8000-memory.dmp

Filesize
32KB

Download
memory/1072-31-0x00007FF9C8F00000-0x00007FF9C99C2000-memory.dmp

Filesize
10.8MB

Download