5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f

Resubmissions

31/10/2023, 14:07

231031-re37labd66 1

31/10/2023, 14:02

231031-rcf92shb8s 1

31/10/2023, 13:59

231031-rahebsha3x 1

31/10/2023, 13:47

231031-q3rb9sad36 1

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

351B
MD5

020b64c77751bf39ac87056235310827
SHA1

57fce2282987f8864085c1220094f63b1b74af2a
SHA256

5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f
SHA512

15546845dec53569ee3678af33edc0076954300d880207f8bebf6ca3ba611d41c293d90e7cbcbb7c1f6cacea00aa89adc7b67d6d5c34e83fb972b7882ff4ba42

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
2484	PING.EXE
2116	PING.EXE
1388	PING.EXE
3036	PING.EXE
1048	PING.EXE
2076	PING.EXE
2748	PING.EXE
2640	PING.EXE
2836	PING.EXE
2840	PING.EXE
2912	PING.EXE
2892	PING.EXE
3068	PING.EXE
1508	PING.EXE
2228	PING.EXE
2780	PING.EXE
2728	PING.EXE
2608	PING.EXE
2868	PING.EXE
2708	PING.EXE
2784	PING.EXE
3024	PING.EXE
1956	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2432	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1048	2432	powershell.exe	29
PID 2432 wrote to memory of 1048	2432	powershell.exe	29
PID 2432 wrote to memory of 1048	2432	powershell.exe	29
PID 2432 wrote to memory of 2076	2432	powershell.exe	30
PID 2432 wrote to memory of 2076	2432	powershell.exe	30
PID 2432 wrote to memory of 2076	2432	powershell.exe	30
PID 2432 wrote to memory of 2228	2432	powershell.exe	31
PID 2432 wrote to memory of 2228	2432	powershell.exe	31
PID 2432 wrote to memory of 2228	2432	powershell.exe	31
PID 2432 wrote to memory of 2748	2432	powershell.exe	32
PID 2432 wrote to memory of 2748	2432	powershell.exe	32
PID 2432 wrote to memory of 2748	2432	powershell.exe	32
PID 2432 wrote to memory of 2708	2432	powershell.exe	33
PID 2432 wrote to memory of 2708	2432	powershell.exe	33
PID 2432 wrote to memory of 2708	2432	powershell.exe	33
PID 2432 wrote to memory of 2640	2432	powershell.exe	34
PID 2432 wrote to memory of 2640	2432	powershell.exe	34
PID 2432 wrote to memory of 2640	2432	powershell.exe	34
PID 2432 wrote to memory of 2784	2432	powershell.exe	35
PID 2432 wrote to memory of 2784	2432	powershell.exe	35
PID 2432 wrote to memory of 2784	2432	powershell.exe	35
PID 2432 wrote to memory of 2912	2432	powershell.exe	36
PID 2432 wrote to memory of 2912	2432	powershell.exe	36
PID 2432 wrote to memory of 2912	2432	powershell.exe	36
PID 2432 wrote to memory of 2780	2432	powershell.exe	37
PID 2432 wrote to memory of 2780	2432	powershell.exe	37
PID 2432 wrote to memory of 2780	2432	powershell.exe	37
PID 2432 wrote to memory of 2728	2432	powershell.exe	38
PID 2432 wrote to memory of 2728	2432	powershell.exe	38
PID 2432 wrote to memory of 2728	2432	powershell.exe	38
PID 2432 wrote to memory of 2892	2432	powershell.exe	39
PID 2432 wrote to memory of 2892	2432	powershell.exe	39
PID 2432 wrote to memory of 2892	2432	powershell.exe	39
PID 2432 wrote to memory of 3068	2432	powershell.exe	40
PID 2432 wrote to memory of 3068	2432	powershell.exe	40
PID 2432 wrote to memory of 3068	2432	powershell.exe	40
PID 2432 wrote to memory of 2484	2432	powershell.exe	41
PID 2432 wrote to memory of 2484	2432	powershell.exe	41
PID 2432 wrote to memory of 2484	2432	powershell.exe	41
PID 2432 wrote to memory of 2116	2432	powershell.exe	44
PID 2432 wrote to memory of 2116	2432	powershell.exe	44
PID 2432 wrote to memory of 2116	2432	powershell.exe	44
PID 2432 wrote to memory of 1388	2432	powershell.exe	45
PID 2432 wrote to memory of 1388	2432	powershell.exe	45
PID 2432 wrote to memory of 1388	2432	powershell.exe	45
PID 2432 wrote to memory of 3024	2432	powershell.exe	46
PID 2432 wrote to memory of 3024	2432	powershell.exe	46
PID 2432 wrote to memory of 3024	2432	powershell.exe	46
PID 2432 wrote to memory of 3036	2432	powershell.exe	47
PID 2432 wrote to memory of 3036	2432	powershell.exe	47
PID 2432 wrote to memory of 3036	2432	powershell.exe	47
PID 2432 wrote to memory of 1956	2432	powershell.exe	48
PID 2432 wrote to memory of 1956	2432	powershell.exe	48
PID 2432 wrote to memory of 1956	2432	powershell.exe	48
PID 2432 wrote to memory of 1508	2432	powershell.exe	49
PID 2432 wrote to memory of 1508	2432	powershell.exe	49
PID 2432 wrote to memory of 1508	2432	powershell.exe	49
PID 2432 wrote to memory of 2836	2432	powershell.exe	50
PID 2432 wrote to memory of 2836	2432	powershell.exe	50
PID 2432 wrote to memory of 2836	2432	powershell.exe	50
PID 2432 wrote to memory of 2608	2432	powershell.exe	51
PID 2432 wrote to memory of 2608	2432	powershell.exe	51
PID 2432 wrote to memory of 2608	2432	powershell.exe	51
PID 2432 wrote to memory of 2840	2432	powershell.exe	52

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1048
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2076
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:2228
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" bfo.guv
  2⤵
  - Runs ping.exe
  PID:2748
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:2708
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi gu
  2⤵
  - Runs ping.exe
  PID:2640
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2784
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2912
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbilgiv
  2⤵
  - Runs ping.exe
  PID:2780
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.cov
  2⤵
  - Runs ping.exe
  PID:2728
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2892
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3068
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2484
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2116
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1388
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.giv
  2⤵
  - Runs ping.exe
  PID:3024
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3036
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1956
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbo.guv
  2⤵
  - Runs ping.exe
  PID:1508
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2836
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2608
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2840
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2432-4-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2432-6-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2432-5-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2432-7-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2432-8-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2432-9-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2432-10-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2432-11-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2432-12-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download
memory/2432-13-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2432-14-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2432-15-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2432-16-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2432-18-0x000007FEF5E50000-0x000007FEF67ED000-memory.dmp

Filesize
9.6MB

Download