5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f

Resubmissions

31/10/2023, 14:07

231031-re37labd66 1

31/10/2023, 14:02

231031-rcf92shb8s 1

31/10/2023, 13:59

231031-rahebsha3x 1

31/10/2023, 13:47

231031-q3rb9sad36 1

Analysis

max time kernel
839s
max time network
843s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.ps1
Size

351B
MD5

020b64c77751bf39ac87056235310827
SHA1

57fce2282987f8864085c1220094f63b1b74af2a
SHA256

5d7da2e714b49bb444fba61118db5762657c42590eceff66a890f238c039269f
SHA512

15546845dec53569ee3678af33edc0076954300d880207f8bebf6ca3ba611d41c293d90e7cbcbb7c1f6cacea00aa89adc7b67d6d5c34e83fb972b7882ff4ba42

Score

1^/10

Malware Config

Signatures

Runs ping.exe 1 TTPs 23 IoCs

Remote System Discovery

T1018

pid	Process
2944	PING.EXE
2968	PING.EXE
2816	PING.EXE
2720	PING.EXE
3028	PING.EXE
2592	PING.EXE
2608	PING.EXE
2660	PING.EXE
2696	PING.EXE
2784	PING.EXE
2700	PING.EXE
2576	PING.EXE
2996	PING.EXE
2628	PING.EXE
1088	PING.EXE
3008	PING.EXE
2416	PING.EXE
2952	PING.EXE
2760	PING.EXE
3012	PING.EXE
2732	PING.EXE
1940	PING.EXE
2652	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2512	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2760	2512	powershell.exe	29
PID 2512 wrote to memory of 2760	2512	powershell.exe	29
PID 2512 wrote to memory of 2760	2512	powershell.exe	29
PID 2512 wrote to memory of 2816	2512	powershell.exe	30
PID 2512 wrote to memory of 2816	2512	powershell.exe	30
PID 2512 wrote to memory of 2816	2512	powershell.exe	30
PID 2512 wrote to memory of 2720	2512	powershell.exe	31
PID 2512 wrote to memory of 2720	2512	powershell.exe	31
PID 2512 wrote to memory of 2720	2512	powershell.exe	31
PID 2512 wrote to memory of 2696	2512	powershell.exe	32
PID 2512 wrote to memory of 2696	2512	powershell.exe	32
PID 2512 wrote to memory of 2696	2512	powershell.exe	32
PID 2512 wrote to memory of 3028	2512	powershell.exe	33
PID 2512 wrote to memory of 3028	2512	powershell.exe	33
PID 2512 wrote to memory of 3028	2512	powershell.exe	33
PID 2512 wrote to memory of 2592	2512	powershell.exe	34
PID 2512 wrote to memory of 2592	2512	powershell.exe	34
PID 2512 wrote to memory of 2592	2512	powershell.exe	34
PID 2512 wrote to memory of 2784	2512	powershell.exe	35
PID 2512 wrote to memory of 2784	2512	powershell.exe	35
PID 2512 wrote to memory of 2784	2512	powershell.exe	35
PID 2512 wrote to memory of 3012	2512	powershell.exe	36
PID 2512 wrote to memory of 3012	2512	powershell.exe	36
PID 2512 wrote to memory of 3012	2512	powershell.exe	36
PID 2512 wrote to memory of 2700	2512	powershell.exe	37
PID 2512 wrote to memory of 2700	2512	powershell.exe	37
PID 2512 wrote to memory of 2700	2512	powershell.exe	37
PID 2512 wrote to memory of 2732	2512	powershell.exe	38
PID 2512 wrote to memory of 2732	2512	powershell.exe	38
PID 2512 wrote to memory of 2732	2512	powershell.exe	38
PID 2512 wrote to memory of 1940	2512	powershell.exe	39
PID 2512 wrote to memory of 1940	2512	powershell.exe	39
PID 2512 wrote to memory of 1940	2512	powershell.exe	39
PID 2512 wrote to memory of 2576	2512	powershell.exe	40
PID 2512 wrote to memory of 2576	2512	powershell.exe	40
PID 2512 wrote to memory of 2576	2512	powershell.exe	40
PID 2512 wrote to memory of 2608	2512	powershell.exe	41
PID 2512 wrote to memory of 2608	2512	powershell.exe	41
PID 2512 wrote to memory of 2608	2512	powershell.exe	41
PID 2512 wrote to memory of 2628	2512	powershell.exe	42
PID 2512 wrote to memory of 2628	2512	powershell.exe	42
PID 2512 wrote to memory of 2628	2512	powershell.exe	42
PID 2512 wrote to memory of 1088	2512	powershell.exe	43
PID 2512 wrote to memory of 1088	2512	powershell.exe	43
PID 2512 wrote to memory of 1088	2512	powershell.exe	43
PID 2512 wrote to memory of 2944	2512	powershell.exe	46
PID 2512 wrote to memory of 2944	2512	powershell.exe	46
PID 2512 wrote to memory of 2944	2512	powershell.exe	46
PID 2512 wrote to memory of 2652	2512	powershell.exe	47
PID 2512 wrote to memory of 2652	2512	powershell.exe	47
PID 2512 wrote to memory of 2652	2512	powershell.exe	47
PID 2512 wrote to memory of 2996	2512	powershell.exe	48
PID 2512 wrote to memory of 2996	2512	powershell.exe	48
PID 2512 wrote to memory of 2996	2512	powershell.exe	48
PID 2512 wrote to memory of 2968	2512	powershell.exe	49
PID 2512 wrote to memory of 2968	2512	powershell.exe	49
PID 2512 wrote to memory of 2968	2512	powershell.exe	49
PID 2512 wrote to memory of 2952	2512	powershell.exe	50
PID 2512 wrote to memory of 2952	2512	powershell.exe	50
PID 2512 wrote to memory of 2952	2512	powershell.exe	50
PID 2512 wrote to memory of 3008	2512	powershell.exe	51
PID 2512 wrote to memory of 3008	2512	powershell.exe	51
PID 2512 wrote to memory of 3008	2512	powershell.exe	51
PID 2512 wrote to memory of 2416	2512	powershell.exe	52

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\run.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2760
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2816
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:2720
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" bfo.guv
  2⤵
  - Runs ping.exe
  PID:2696
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.gov
  2⤵
  - Runs ping.exe
  PID:3028
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi gu
  2⤵
  - Runs ping.exe
  PID:2592
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2784
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3012
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbilgiv
  2⤵
  - Runs ping.exe
  PID:2700
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.cov
  2⤵
  - Runs ping.exe
  PID:2732
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1940
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2576
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2608
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2628
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:1088
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.giv
  2⤵
  - Runs ping.exe
  PID:2944
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2652
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2996
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbo.guv
  2⤵
  - Runs ping.exe
  PID:2968
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2952
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:3008
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2416
- C:\Windows\system32\PING.EXE
  "C:\Windows\system32\PING.EXE" fbi.guv
  2⤵
  - Runs ping.exe
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2512-4-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/2512-5-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2512-6-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2512-7-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2512-8-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2512-9-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2512-10-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2512-11-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2512-12-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download
memory/2512-13-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2512-14-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2512-15-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2512-16-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2512-18-0x000007FEF58F0000-0x000007FEF628D000-memory.dmp

Filesize
9.6MB

Download