5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f

Resubmissions

31/10/2023, 14:07

231031-re37labd66 1

31/10/2023, 14:02

231031-rcf92shb8s 1

31/10/2023, 13:59

231031-rahebsha3x 1

31/10/2023, 13:47

231031-q3rb9sad36 1

Analysis

max time kernel
845s
max time network
856s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

351B
MD5

020b64c77751bf39ac87056235310827
SHA1

57fce2282987f8864085c1220094f63b1b74af2a
SHA256

5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f
SHA512

15546845dec53569ee3678af33edc0076954300d880207f8bebf6ca3ba611d41c293d90e7cbcbb7c1f6cacea00aa89adc7b67d6d5c34e83fb972b7882ff4ba42

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
2548	PING.EXE
2844	PING.EXE
2912	PING.EXE
2956	PING.EXE
2732	PING.EXE
2472	PING.EXE
108	PING.EXE
2680	PING.EXE
668	PING.EXE
3032	PING.EXE
2772	PING.EXE
2500	PING.EXE
2400	PING.EXE
2736	PING.EXE
1772	PING.EXE
2056	PING.EXE
2860	PING.EXE
2704	PING.EXE
584	PING.EXE
2920	PING.EXE
2148	PING.EXE
2816	PING.EXE
2812	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2176	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2772	2176	powershell.exe	29
PID 2176 wrote to memory of 2772	2176	powershell.exe	29
PID 2176 wrote to memory of 2772	2176	powershell.exe	29
PID 2176 wrote to memory of 2956	2176	powershell.exe	30
PID 2176 wrote to memory of 2956	2176	powershell.exe	30
PID 2176 wrote to memory of 2956	2176	powershell.exe	30
PID 2176 wrote to memory of 2500	2176	powershell.exe	31
PID 2176 wrote to memory of 2500	2176	powershell.exe	31
PID 2176 wrote to memory of 2500	2176	powershell.exe	31
PID 2176 wrote to memory of 2400	2176	powershell.exe	32
PID 2176 wrote to memory of 2400	2176	powershell.exe	32
PID 2176 wrote to memory of 2400	2176	powershell.exe	32
PID 2176 wrote to memory of 2860	2176	powershell.exe	33
PID 2176 wrote to memory of 2860	2176	powershell.exe	33
PID 2176 wrote to memory of 2860	2176	powershell.exe	33
PID 2176 wrote to memory of 2704	2176	powershell.exe	34
PID 2176 wrote to memory of 2704	2176	powershell.exe	34
PID 2176 wrote to memory of 2704	2176	powershell.exe	34
PID 2176 wrote to memory of 2732	2176	powershell.exe	35
PID 2176 wrote to memory of 2732	2176	powershell.exe	35
PID 2176 wrote to memory of 2732	2176	powershell.exe	35
PID 2176 wrote to memory of 2736	2176	powershell.exe	36
PID 2176 wrote to memory of 2736	2176	powershell.exe	36
PID 2176 wrote to memory of 2736	2176	powershell.exe	36
PID 2176 wrote to memory of 2680	2176	powershell.exe	37
PID 2176 wrote to memory of 2680	2176	powershell.exe	37
PID 2176 wrote to memory of 2680	2176	powershell.exe	37
PID 2176 wrote to memory of 2472	2176	powershell.exe	40
PID 2176 wrote to memory of 2472	2176	powershell.exe	40
PID 2176 wrote to memory of 2472	2176	powershell.exe	40
PID 2176 wrote to memory of 108	2176	powershell.exe	41
PID 2176 wrote to memory of 108	2176	powershell.exe	41
PID 2176 wrote to memory of 108	2176	powershell.exe	41
PID 2176 wrote to memory of 2548	2176	powershell.exe	42
PID 2176 wrote to memory of 2548	2176	powershell.exe	42
PID 2176 wrote to memory of 2548	2176	powershell.exe	42
PID 2176 wrote to memory of 2148	2176	powershell.exe	43
PID 2176 wrote to memory of 2148	2176	powershell.exe	43
PID 2176 wrote to memory of 2148	2176	powershell.exe	43
PID 2176 wrote to memory of 584	2176	powershell.exe	44
PID 2176 wrote to memory of 584	2176	powershell.exe	44
PID 2176 wrote to memory of 584	2176	powershell.exe	44
PID 2176 wrote to memory of 668	2176	powershell.exe	45
PID 2176 wrote to memory of 668	2176	powershell.exe	45
PID 2176 wrote to memory of 668	2176	powershell.exe	45
PID 2176 wrote to memory of 2816	2176	powershell.exe	46
PID 2176 wrote to memory of 2816	2176	powershell.exe	46
PID 2176 wrote to memory of 2816	2176	powershell.exe	46
PID 2176 wrote to memory of 2844	2176	powershell.exe	47
PID 2176 wrote to memory of 2844	2176	powershell.exe	47
PID 2176 wrote to memory of 2844	2176	powershell.exe	47
PID 2176 wrote to memory of 2812	2176	powershell.exe	48
PID 2176 wrote to memory of 2812	2176	powershell.exe	48
PID 2176 wrote to memory of 2812	2176	powershell.exe	48
PID 2176 wrote to memory of 2912	2176	powershell.exe	49
PID 2176 wrote to memory of 2912	2176	powershell.exe	49
PID 2176 wrote to memory of 2912	2176	powershell.exe	49
PID 2176 wrote to memory of 2920	2176	powershell.exe	50
PID 2176 wrote to memory of 2920	2176	powershell.exe	50
PID 2176 wrote to memory of 2920	2176	powershell.exe	50
PID 2176 wrote to memory of 3032	2176	powershell.exe	51
PID 2176 wrote to memory of 3032	2176	powershell.exe	51
PID 2176 wrote to memory of 3032	2176	powershell.exe	51
PID 2176 wrote to memory of 1772	2176	powershell.exe	52

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2772
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2956
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:2500
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" bfo.guv
  2⤵
  - Runs ping.exe
  PID:2400
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:2860
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi gu
  2⤵
  - Runs ping.exe
  PID:2704
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2732
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2736
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbilgiv
  2⤵
  - Runs ping.exe
  PID:2680
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.cov
  2⤵
  - Runs ping.exe
  PID:2472
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:108
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2548
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2148
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:584
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:668
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.giv
  2⤵
  - Runs ping.exe
  PID:2816
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2844
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2812
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbo.guv
  2⤵
  - Runs ping.exe
  PID:2912
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2920
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3032
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1772
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2176-4-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2176-5-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2176-6-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-7-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2176-8-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2176-9-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2176-10-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-11-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-12-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2176-13-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2176-14-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2176-15-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2176-16-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download
memory/2176-18-0x000007FEF5A50000-0x000007FEF63ED000-memory.dmp

Filesize
9.6MB

Download