91d5b515b82fc61a6fcc7d433a1fd2434d2d9ff0dbb4da9a25fb972ac700ac3a

General

Target

4f2d5a27ee6f339e33372d35bf04de8a.ps1
Size

3KB
MD5

4f2d5a27ee6f339e33372d35bf04de8a
SHA1

9d88b8709f59d498896651e002961c931d74735c
SHA256

91d5b515b82fc61a6fcc7d433a1fd2434d2d9ff0dbb4da9a25fb972ac700ac3a
SHA512

cdb3b9d0fe5f911570bc1969c4c8b3981132e92b517c336165bddd0622b06f1a62725a5bed34a434776351000f8c61ce9458b22327fd9d94267527a03ecc5c18

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2220	powershell.exe
4	2220	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
1788	powershell.exe
1464	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2604	2220	powershell.exe	29
PID 2220 wrote to memory of 2604	2220	powershell.exe	29
PID 2220 wrote to memory of 2604	2220	powershell.exe	29
PID 2220 wrote to memory of 2556	2220	powershell.exe	30
PID 2220 wrote to memory of 2556	2220	powershell.exe	30
PID 2220 wrote to memory of 2556	2220	powershell.exe	30
PID 2556 wrote to memory of 1088	2556	WScript.exe	33
PID 2556 wrote to memory of 1088	2556	WScript.exe	33
PID 2556 wrote to memory of 1088	2556	WScript.exe	33
PID 2604 wrote to memory of 1152	2604	WScript.exe	34
PID 2604 wrote to memory of 1152	2604	WScript.exe	34
PID 2604 wrote to memory of 1152	2604	WScript.exe	34
PID 1088 wrote to memory of 1464	1088	cmd.exe	37
PID 1088 wrote to memory of 1464	1088	cmd.exe	37
PID 1088 wrote to memory of 1464	1088	cmd.exe	37
PID 1152 wrote to memory of 1788	1152	cmd.exe	38
PID 1152 wrote to memory of 1788	1152	cmd.exe	38
PID 1152 wrote to memory of 1788	1152	cmd.exe	38

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\4f2d5a27ee6f339e33372d35bf04de8a.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\Edge.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\Edge.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass C:\Users\Public\AMD.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\Edge.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Public\Edge.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass C:\Users\Public\AMD.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHost\Edge.vbs

Filesize
124B

MD5
51cffaf3df84eb2348751c3920cb7a76

SHA1
122090b7a22c2ee5006741b222561e8eb15807d7

SHA256
c1a5626457e52ee4e77a8ff4a7fa4d9bcdf689086d23392dfd94e0eea17e0f48

SHA512
0016a6fa19d73778ec5b107e1e06b573d32646d811add9d5eeb249fe3160ed709f0e268da8206fadb39bfdfe238dde0ebf033619c127b66e669629b4f94c0dc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d95f7e62f388349efbf4240fa143de0f

SHA1
a5f0b9067edd20855970e70f01ca88291b300969

SHA256
90f24316ac13b85936ef6ce06a24cbc9236161e281c6f3a522f821919e307ad9

SHA512
870c46c617f290b10f3689196c4c2cbb8fc4dd2c3bdbd9c9eddc02c1e3221f5a4b3ae4dee96437829beba06b618712e9ba0edeabf5812918a8bfa7c9d5f2cca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f33b25296ddf63f551d918cfe8c4b963

SHA1
b1125f2669aa77228ddc1c25bf5ea1a910f6c2b2

SHA256
932b9c9a59d4724ae75fc2fcc571413b4eaa3744dca7fcf21a61a62b80a61e81

SHA512
59045d505951f809eb130fbddb955303976afcef9903907021a5587ec5bc992883678f8c840f039d72d0dfb0e224ee2d77b8d3963d26ca97c7c2238815b40dff

Download Submit
C:\Users\Public\Edge.bat

Filesize
70B

MD5
d7f1eb31327c84153a157d95696feacb

SHA1
00680d8bc496cf42b1d4bd5ea96f4798b49979ff

SHA256
7b7f08a0ce390f51db256ea9aa7f886d96bd1f884fc07a4302c6863096ef8500

SHA512
ec6c36d7ba69060186a4177132a5fe4f438ffed10640b9501d1adba859029662489214ff0f09e44f5e43474c94708217d1fb0fb85d76726fff1944cf592aa757

Download Submit
memory/1464-55-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1464-68-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1464-67-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1464-66-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/1464-63-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/1464-62-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1464-52-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/1464-56-0x00000000024D0000-0x0000000002550000-memory.dmp

Filesize
512KB

Download
memory/1464-54-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/1788-60-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1788-57-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/1788-64-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1788-65-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/1788-61-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1788-59-0x000007FEF4930000-0x000007FEF52CD000-memory.dmp

Filesize
9.6MB

Download
memory/1788-53-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/1788-58-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/2220-27-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-11-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2220-28-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2220-37-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2220-30-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2220-8-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-29-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2220-4-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2220-31-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2220-7-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2220-6-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-10-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2220-5-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2220-38-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-9-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing