5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f

Resubmissions

31-10-2023 14:07

231031-re37labd66 1

31-10-2023 14:02

231031-rcf92shb8s 1

31-10-2023 13:59

231031-rahebsha3x 1

31-10-2023 13:47

231031-q3rb9sad36 1

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2023 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

351B
MD5

020b64c77751bf39ac87056235310827
SHA1

57fce2282987f8864085c1220094f63b1b74af2a
SHA256

5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f
SHA512

15546845dec53569ee3678af33edc0076954300d880207f8bebf6ca3ba611d41c293d90e7cbcbb7c1f6cacea00aa89adc7b67d6d5c34e83fb972b7882ff4ba42

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
484	PING.EXE
408	PING.EXE
3048	PING.EXE
4188	PING.EXE
4400	PING.EXE
1196	PING.EXE
992	PING.EXE
4040	PING.EXE
2684	PING.EXE
4116	PING.EXE
4992	PING.EXE
392	PING.EXE
3308	PING.EXE
3844	PING.EXE
3780	PING.EXE
1708	PING.EXE
1788	PING.EXE
4060	PING.EXE
2024	PING.EXE
4656	PING.EXE
4340	PING.EXE
4912	PING.EXE
3832	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 3780	4492	powershell.exe	86
PID 4492 wrote to memory of 3780	4492	powershell.exe	86
PID 4492 wrote to memory of 1708	4492	powershell.exe	87
PID 4492 wrote to memory of 1708	4492	powershell.exe	87
PID 4492 wrote to memory of 992	4492	powershell.exe	88
PID 4492 wrote to memory of 992	4492	powershell.exe	88
PID 4492 wrote to memory of 2684	4492	powershell.exe	94
PID 4492 wrote to memory of 2684	4492	powershell.exe	94
PID 4492 wrote to memory of 4040	4492	powershell.exe	95
PID 4492 wrote to memory of 4040	4492	powershell.exe	95
PID 4492 wrote to memory of 4400	4492	powershell.exe	96
PID 4492 wrote to memory of 4400	4492	powershell.exe	96
PID 4492 wrote to memory of 4116	4492	powershell.exe	97
PID 4492 wrote to memory of 4116	4492	powershell.exe	97
PID 4492 wrote to memory of 4912	4492	powershell.exe	98
PID 4492 wrote to memory of 4912	4492	powershell.exe	98
PID 4492 wrote to memory of 4992	4492	powershell.exe	99
PID 4492 wrote to memory of 4992	4492	powershell.exe	99
PID 4492 wrote to memory of 392	4492	powershell.exe	100
PID 4492 wrote to memory of 392	4492	powershell.exe	100
PID 4492 wrote to memory of 3048	4492	powershell.exe	101
PID 4492 wrote to memory of 3048	4492	powershell.exe	101
PID 4492 wrote to memory of 4188	4492	powershell.exe	102
PID 4492 wrote to memory of 4188	4492	powershell.exe	102
PID 4492 wrote to memory of 3832	4492	powershell.exe	103
PID 4492 wrote to memory of 3832	4492	powershell.exe	103
PID 4492 wrote to memory of 1196	4492	powershell.exe	104
PID 4492 wrote to memory of 1196	4492	powershell.exe	104
PID 4492 wrote to memory of 4060	4492	powershell.exe	105
PID 4492 wrote to memory of 4060	4492	powershell.exe	105
PID 4492 wrote to memory of 484	4492	powershell.exe	106
PID 4492 wrote to memory of 484	4492	powershell.exe	106
PID 4492 wrote to memory of 3308	4492	powershell.exe	107
PID 4492 wrote to memory of 3308	4492	powershell.exe	107
PID 4492 wrote to memory of 2024	4492	powershell.exe	108
PID 4492 wrote to memory of 2024	4492	powershell.exe	108
PID 4492 wrote to memory of 4656	4492	powershell.exe	109
PID 4492 wrote to memory of 4656	4492	powershell.exe	109
PID 4492 wrote to memory of 3844	4492	powershell.exe	110
PID 4492 wrote to memory of 3844	4492	powershell.exe	110
PID 4492 wrote to memory of 408	4492	powershell.exe	111
PID 4492 wrote to memory of 408	4492	powershell.exe	111
PID 4492 wrote to memory of 4340	4492	powershell.exe	112
PID 4492 wrote to memory of 4340	4492	powershell.exe	112
PID 4492 wrote to memory of 1788	4492	powershell.exe	113
PID 4492 wrote to memory of 1788	4492	powershell.exe	113

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3780
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1708
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:992
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" bfo.guv
  2⤵
  - Runs ping.exe
  PID:2684
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:4040
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi,gu
  2⤵
  - Runs ping.exe
  PID:4400
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4116
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4912
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbilgiv
  2⤵
  - Runs ping.exe
  PID:4992
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.cov
  2⤵
  - Runs ping.exe
  PID:392
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3048
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4188
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3832
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1196
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4060
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.giv
  2⤵
  - Runs ping.exe
  PID:484
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3308
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2024
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbo.guv
  2⤵
  - Runs ping.exe
  PID:4656
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3844
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:408
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4340
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0menwjk5.jxg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4492-9-0x0000014FF5820000-0x0000014FF5842000-memory.dmp

Filesize
136KB

Download
memory/4492-10-0x00007FF9E4200000-0x00007FF9E4CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-11-0x0000014FF4880000-0x0000014FF4890000-memory.dmp

Filesize
64KB

Download
memory/4492-12-0x0000014FF4880000-0x0000014FF4890000-memory.dmp

Filesize
64KB

Download
memory/4492-13-0x0000014FF4880000-0x0000014FF4890000-memory.dmp

Filesize
64KB

Download
memory/4492-14-0x00007FF9E4200000-0x00007FF9E4CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4492-15-0x0000014FF4880000-0x0000014FF4890000-memory.dmp

Filesize
64KB

Download
memory/4492-16-0x0000014FF4880000-0x0000014FF4890000-memory.dmp

Filesize
64KB

Download
memory/4492-17-0x0000014FF4880000-0x0000014FF4890000-memory.dmp

Filesize
64KB

Download
memory/4492-20-0x00007FF9E4200000-0x00007FF9E4CC1000-memory.dmp

Filesize
10.8MB

Download