5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f

Resubmissions

31/10/2023, 14:07

231031-re37labd66 1

31/10/2023, 14:02

231031-rcf92shb8s 1

31/10/2023, 13:59

231031-rahebsha3x 1

31/10/2023, 13:47

231031-q3rb9sad36 1

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

351B
MD5

020b64c77751bf39ac87056235310827
SHA1

57fce2282987f8864085c1220094f63b1b74af2a
SHA256

5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f
SHA512

15546845dec53569ee3678af33edc0076954300d880207f8bebf6ca3ba611d41c293d90e7cbcbb7c1f6cacea00aa89adc7b67d6d5c34e83fb972b7882ff4ba42

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
4996	PING.EXE
4884	PING.EXE
5004	PING.EXE
1956	PING.EXE
4908	PING.EXE
4608	PING.EXE
4480	PING.EXE
4020	PING.EXE
1184	PING.EXE
4344	PING.EXE
4808	PING.EXE
4356	PING.EXE
2828	PING.EXE
1036	PING.EXE
1952	PING.EXE
3444	PING.EXE
4520	PING.EXE
720	PING.EXE
3060	PING.EXE
3776	PING.EXE
1544	PING.EXE
4792	PING.EXE
2220	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1432	powershell.exe
1432	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1036	1432	powershell.exe	86
PID 1432 wrote to memory of 1036	1432	powershell.exe	86
PID 1432 wrote to memory of 5004	1432	powershell.exe	87
PID 1432 wrote to memory of 5004	1432	powershell.exe	87
PID 1432 wrote to memory of 1956	1432	powershell.exe	88
PID 1432 wrote to memory of 1956	1432	powershell.exe	88
PID 1432 wrote to memory of 4480	1432	powershell.exe	94
PID 1432 wrote to memory of 4480	1432	powershell.exe	94
PID 1432 wrote to memory of 4908	1432	powershell.exe	95
PID 1432 wrote to memory of 4908	1432	powershell.exe	95
PID 1432 wrote to memory of 4020	1432	powershell.exe	96
PID 1432 wrote to memory of 4020	1432	powershell.exe	96
PID 1432 wrote to memory of 1544	1432	powershell.exe	97
PID 1432 wrote to memory of 1544	1432	powershell.exe	97
PID 1432 wrote to memory of 4792	1432	powershell.exe	98
PID 1432 wrote to memory of 4792	1432	powershell.exe	98
PID 1432 wrote to memory of 1184	1432	powershell.exe	99
PID 1432 wrote to memory of 1184	1432	powershell.exe	99
PID 1432 wrote to memory of 4996	1432	powershell.exe	100
PID 1432 wrote to memory of 4996	1432	powershell.exe	100
PID 1432 wrote to memory of 1952	1432	powershell.exe	101
PID 1432 wrote to memory of 1952	1432	powershell.exe	101
PID 1432 wrote to memory of 2220	1432	powershell.exe	102
PID 1432 wrote to memory of 2220	1432	powershell.exe	102
PID 1432 wrote to memory of 3444	1432	powershell.exe	103
PID 1432 wrote to memory of 3444	1432	powershell.exe	103
PID 1432 wrote to memory of 4344	1432	powershell.exe	104
PID 1432 wrote to memory of 4344	1432	powershell.exe	104
PID 1432 wrote to memory of 4520	1432	powershell.exe	105
PID 1432 wrote to memory of 4520	1432	powershell.exe	105
PID 1432 wrote to memory of 4808	1432	powershell.exe	106
PID 1432 wrote to memory of 4808	1432	powershell.exe	106
PID 1432 wrote to memory of 720	1432	powershell.exe	107
PID 1432 wrote to memory of 720	1432	powershell.exe	107
PID 1432 wrote to memory of 4608	1432	powershell.exe	108
PID 1432 wrote to memory of 4608	1432	powershell.exe	108
PID 1432 wrote to memory of 4356	1432	powershell.exe	109
PID 1432 wrote to memory of 4356	1432	powershell.exe	109
PID 1432 wrote to memory of 2828	1432	powershell.exe	110
PID 1432 wrote to memory of 2828	1432	powershell.exe	110
PID 1432 wrote to memory of 4884	1432	powershell.exe	111
PID 1432 wrote to memory of 4884	1432	powershell.exe	111
PID 1432 wrote to memory of 3060	1432	powershell.exe	112
PID 1432 wrote to memory of 3060	1432	powershell.exe	112
PID 1432 wrote to memory of 3776	1432	powershell.exe	113
PID 1432 wrote to memory of 3776	1432	powershell.exe	113

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1036
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:5004
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:1956
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" bfo.guv
  2⤵
  - Runs ping.exe
  PID:4480
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:4908
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi,gu
  2⤵
  - Runs ping.exe
  PID:4020
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1544
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4792
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbilgiv
  2⤵
  - Runs ping.exe
  PID:1184
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.cov
  2⤵
  - Runs ping.exe
  PID:4996
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1952
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2220
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3444
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4344
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4520
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.giv
  2⤵
  - Runs ping.exe
  PID:4808
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:720
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4608
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbo.guv
  2⤵
  - Runs ping.exe
  PID:4356
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2828
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:4884
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3060
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jrmmi4u.4wh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1432-3-0x000001B9E9860000-0x000001B9E9882000-memory.dmp

Filesize
136KB

Download
memory/1432-10-0x00007FFEFD020000-0x00007FFEFDAE1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-11-0x000001B9CF0B0000-0x000001B9CF0C0000-memory.dmp

Filesize
64KB

Download
memory/1432-12-0x000001B9CF0B0000-0x000001B9CF0C0000-memory.dmp

Filesize
64KB

Download
memory/1432-13-0x000001B9CF0B0000-0x000001B9CF0C0000-memory.dmp

Filesize
64KB

Download
memory/1432-14-0x00007FFEFD020000-0x00007FFEFDAE1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-15-0x000001B9CF0B0000-0x000001B9CF0C0000-memory.dmp

Filesize
64KB

Download
memory/1432-16-0x000001B9CF0B0000-0x000001B9CF0C0000-memory.dmp

Filesize
64KB

Download
memory/1432-17-0x000001B9CF0B0000-0x000001B9CF0C0000-memory.dmp

Filesize
64KB

Download
memory/1432-20-0x00007FFEFD020000-0x00007FFEFDAE1000-memory.dmp

Filesize
10.8MB

Download