Overview

overview

10

Static

static

bm.ps1

windows7_x64

1

bm.ps1

windows10_x64

10
General
Target

bm.ps1

Filesize

915KB

Completed

03-12-2021 12:10

Task

behavioral1

Score
1/10
MD5

001bfe6f72fe64660ba498107c658bdc

SHA1

0946baf23e867f2564302b60f777db72a1244a30

SHA256

c22a6401a415fe642f3d96f38a887dd8ad23dd83a9255ee89d9adf4650ab98da

SHA512

32836eff8285a5a301be0b4410d34a73d99d4c04b38b0b67b937c1bc5ae6ab2d033a97089b6588c245371dfd8e95c420c8bbd3862a632a828122861e0ec839d3

Malware Config
Signatures 3

Filter: none

  • Suspicious behavior: EnumeratesProcesses
    powershell.exepowershell.exe

    Reported IOCs

    pidprocess
    1868powershell.exe
    1868powershell.exe
    1868powershell.exe
    1616powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1868powershell.exe
    Token: SeDebugPrivilege1616powershell.exe
  • Suspicious use of WriteProcessMemory
    powershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1868 wrote to memory of 16161868powershell.exepowershell.exe
    PID 1868 wrote to memory of 16161868powershell.exepowershell.exe
    PID 1868 wrote to memory of 16161868powershell.exepowershell.exe
    PID 1868 wrote to memory of 16161868powershell.exepowershell.exe
Processes 2
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bm.ps1
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ex bypass -NonI C:\Users\Admin\AppData\Local\Temp\bm.ps1
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1616
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/1616-61-0x0000000000000000-mapping.dmp

                            Download

                          • memory/1616-62-0x0000000075731000-0x0000000075733000-memory.dmp

                            Download

                          • memory/1616-63-0x00000000022F0000-0x0000000002F3A000-memory.dmp

                            Download

                          • memory/1616-64-0x00000000022F0000-0x0000000002F3A000-memory.dmp

                            Download

                          • memory/1868-59-0x0000000002804000-0x0000000002807000-memory.dmp

                            Download

                          • memory/1868-60-0x000000000280B000-0x000000000282A000-memory.dmp

                            Download

                          • memory/1868-55-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

                            Download

                          • memory/1868-56-0x000007FEF28B0000-0x000007FEF340D000-memory.dmp

                            Download

                          • memory/1868-57-0x0000000002800000-0x0000000002802000-memory.dmp

                            Download

                          • memory/1868-58-0x0000000002802000-0x0000000002804000-memory.dmp

                            Download