4109d17d439e425d24e9d11956adcc63ff8e24ccfffe21dd8c5431fe969d2783

General

Target

favicon.ps1
Size

190KB
MD5

471601a24b16ed8f14f68967eac8d64e
SHA1

fdecb788ba7cd9c855686b0598d4953af85ab399
SHA256

4109d17d439e425d24e9d11956adcc63ff8e24ccfffe21dd8c5431fe969d2783
SHA512

a45a7932e678cac7a117a2a5b7f1598ebd2dbb7dd0cd7151f4956b440384323d659d40a713491ded9f72052ae0c568dee6a39219ba99da81c6a5e3e534c07699

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
suricata
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

15 3988 powershell.exe
16 3988 powershell.exe
41 3988 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

880 powershell.exe
880 powershell.exe
3988 powershell.exe
3988 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 880 powershell.exe
Token: SeDebugPrivilege 3988 powershell.exe

flow	pid	process
15	3988	powershell.exe
16	3988	powershell.exe
41	3988	powershell.exe

pid	process
880	powershell.exe
880	powershell.exe
3988	powershell.exe
3988	powershell.exe

description	pid	process
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 880 wrote to memory of 3988	880	powershell.exe	powershell.exe
PID 880 wrote to memory of 3988	880	powershell.exe	powershell.exe
PID 880 wrote to memory of 3988	880	powershell.exe	powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\favicon.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

\??\c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
93678e82d776686aa54c42b8a98e6cbc

SHA1
802939dfed99ac74814c4371388b204c5810241d

SHA256
da32a79a8e04cbafb1c5980b3d6225f4705010df5eb45d464cd5bf6b642d7841

SHA512
0b412a1e11c0639d72f6a58c661ecc43da021c010c4d1e66051c5a376ebab287480bbf663345c9bd2a79ec3a35a9788cf04d74d612449f76fe2c87576cd13520

Download Submit
memory/880-130-0x000001B021F10000-0x000001B021F32000-memory.dmp

Filesize
136KB

Download
memory/880-131-0x00007FF8BEA80000-0x00007FF8BF541000-memory.dmp

Filesize
10.8MB

Download
memory/880-132-0x000001B023120000-0x000001B023296000-memory.dmp

Filesize
1.5MB

Download
memory/880-133-0x000001B0234B0000-0x000001B0236BA000-memory.dmp

Filesize
2.0MB

Download
memory/880-140-0x00007FF8BEA80000-0x00007FF8BF541000-memory.dmp

Filesize
10.8MB

Download
memory/3988-138-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/3988-137-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/3988-136-0x00000000059D0000-0x0000000005FF8000-memory.dmp

Filesize
6.2MB

Download
memory/3988-139-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/3988-135-0x0000000005360000-0x0000000005396000-memory.dmp

Filesize
216KB

Download
memory/3988-141-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/3988-142-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/3988-143-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/3988-144-0x00000000071E0000-0x000000000785A000-memory.dmp

Filesize
6.5MB

Download
memory/3988-145-0x00000000071E0000-0x000000000785A000-memory.dmp

Filesize
6.5MB

Download
memory/3988-146-0x00000000071E0000-0x000000000785A000-memory.dmp

Filesize
6.5MB

Download
memory/3988-147-0x00000000071E0000-0x000000000785A000-memory.dmp

Filesize
6.5MB

Download
memory/3988-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads