5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f

Resubmissions

31/10/2023, 14:07

231031-re37labd66 1

31/10/2023, 14:02

231031-rcf92shb8s 1

31/10/2023, 13:59

231031-rahebsha3x 1

31/10/2023, 13:47

231031-q3rb9sad36 1

Analysis

max time kernel
122s
max time network
130s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

351B
MD5

020b64c77751bf39ac87056235310827
SHA1

57fce2282987f8864085c1220094f63b1b74af2a
SHA256

5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f
SHA512

15546845dec53569ee3678af33edc0076954300d880207f8bebf6ca3ba611d41c293d90e7cbcbb7c1f6cacea00aa89adc7b67d6d5c34e83fb972b7882ff4ba42

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
668	PING.EXE
1052	PING.EXE
2780	PING.EXE
2712	PING.EXE
2468	PING.EXE
2820	PING.EXE
2764	PING.EXE
528	PING.EXE
2700	PING.EXE
2724	PING.EXE
2600	PING.EXE
3004	PING.EXE
1968	PING.EXE
324	PING.EXE
2604	PING.EXE
1192	PING.EXE
2512	PING.EXE
1884	PING.EXE
2488	PING.EXE
1188	PING.EXE
2736	PING.EXE
2888	PING.EXE
2732	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1948	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1052	1948	powershell.exe	29
PID 1948 wrote to memory of 1052	1948	powershell.exe	29
PID 1948 wrote to memory of 1052	1948	powershell.exe	29
PID 1948 wrote to memory of 2700	1948	powershell.exe	30
PID 1948 wrote to memory of 2700	1948	powershell.exe	30
PID 1948 wrote to memory of 2700	1948	powershell.exe	30
PID 1948 wrote to memory of 2736	1948	powershell.exe	31
PID 1948 wrote to memory of 2736	1948	powershell.exe	31
PID 1948 wrote to memory of 2736	1948	powershell.exe	31
PID 1948 wrote to memory of 2888	1948	powershell.exe	32
PID 1948 wrote to memory of 2888	1948	powershell.exe	32
PID 1948 wrote to memory of 2888	1948	powershell.exe	32
PID 1948 wrote to memory of 2732	1948	powershell.exe	33
PID 1948 wrote to memory of 2732	1948	powershell.exe	33
PID 1948 wrote to memory of 2732	1948	powershell.exe	33
PID 1948 wrote to memory of 2604	1948	powershell.exe	34
PID 1948 wrote to memory of 2604	1948	powershell.exe	34
PID 1948 wrote to memory of 2604	1948	powershell.exe	34
PID 1948 wrote to memory of 1192	1948	powershell.exe	35
PID 1948 wrote to memory of 1192	1948	powershell.exe	35
PID 1948 wrote to memory of 1192	1948	powershell.exe	35
PID 1948 wrote to memory of 1884	1948	powershell.exe	36
PID 1948 wrote to memory of 1884	1948	powershell.exe	36
PID 1948 wrote to memory of 1884	1948	powershell.exe	36
PID 1948 wrote to memory of 2512	1948	powershell.exe	37
PID 1948 wrote to memory of 2512	1948	powershell.exe	37
PID 1948 wrote to memory of 2512	1948	powershell.exe	37
PID 1948 wrote to memory of 3004	1948	powershell.exe	38
PID 1948 wrote to memory of 3004	1948	powershell.exe	38
PID 1948 wrote to memory of 3004	1948	powershell.exe	38
PID 1948 wrote to memory of 2724	1948	powershell.exe	39
PID 1948 wrote to memory of 2724	1948	powershell.exe	39
PID 1948 wrote to memory of 2724	1948	powershell.exe	39
PID 1948 wrote to memory of 2600	1948	powershell.exe	40
PID 1948 wrote to memory of 2600	1948	powershell.exe	40
PID 1948 wrote to memory of 2600	1948	powershell.exe	40
PID 1948 wrote to memory of 2488	1948	powershell.exe	41
PID 1948 wrote to memory of 2488	1948	powershell.exe	41
PID 1948 wrote to memory of 2488	1948	powershell.exe	41
PID 1948 wrote to memory of 1188	1948	powershell.exe	44
PID 1948 wrote to memory of 1188	1948	powershell.exe	44
PID 1948 wrote to memory of 1188	1948	powershell.exe	44
PID 1948 wrote to memory of 2468	1948	powershell.exe	45
PID 1948 wrote to memory of 2468	1948	powershell.exe	45
PID 1948 wrote to memory of 2468	1948	powershell.exe	45
PID 1948 wrote to memory of 1968	1948	powershell.exe	46
PID 1948 wrote to memory of 1968	1948	powershell.exe	46
PID 1948 wrote to memory of 1968	1948	powershell.exe	46
PID 1948 wrote to memory of 2780	1948	powershell.exe	47
PID 1948 wrote to memory of 2780	1948	powershell.exe	47
PID 1948 wrote to memory of 2780	1948	powershell.exe	47
PID 1948 wrote to memory of 2820	1948	powershell.exe	48
PID 1948 wrote to memory of 2820	1948	powershell.exe	48
PID 1948 wrote to memory of 2820	1948	powershell.exe	48
PID 1948 wrote to memory of 2764	1948	powershell.exe	49
PID 1948 wrote to memory of 2764	1948	powershell.exe	49
PID 1948 wrote to memory of 2764	1948	powershell.exe	49
PID 1948 wrote to memory of 324	1948	powershell.exe	50
PID 1948 wrote to memory of 324	1948	powershell.exe	50
PID 1948 wrote to memory of 324	1948	powershell.exe	50
PID 1948 wrote to memory of 528	1948	powershell.exe	51
PID 1948 wrote to memory of 528	1948	powershell.exe	51
PID 1948 wrote to memory of 528	1948	powershell.exe	51
PID 1948 wrote to memory of 2712	1948	powershell.exe	52

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1052
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2700
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:2736
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" bfo.guv
  2⤵
  - Runs ping.exe
  PID:2888
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:2732
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi gu
  2⤵
  - Runs ping.exe
  PID:2604
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1192
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1884
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbilgiv
  2⤵
  - Runs ping.exe
  PID:2512
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.cov
  2⤵
  - Runs ping.exe
  PID:3004
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2724
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2600
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2488
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1188
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2468
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.giv
  2⤵
  - Runs ping.exe
  PID:1968
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2780
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2820
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbo.guv
  2⤵
  - Runs ping.exe
  PID:2764
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:324
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:528
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2712
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-4-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/1948-6-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1948-5-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1948-8-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1948-7-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1948-9-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1948-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1948-11-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1948-12-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download
memory/1948-13-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1948-14-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1948-15-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1948-16-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1948-17-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp

Filesize
9.6MB

Download