7d91a26a17888f1c9e9ebac3b1f215bee1ababc4d54821f75c30d450e897449f

General

Target

target.ps1
Size

170B
MD5

8a5cd2b3c4f1010a0d2d1262c7b29a78
SHA1

a3fabce7154e66bdce25f921db0bbe286974d0d8
SHA256

7d91a26a17888f1c9e9ebac3b1f215bee1ababc4d54821f75c30d450e897449f
SHA512

1252a3158091520597800f90938566c2193451a28d1856ab5c28123d0c8f28aab2f39512bc22df090396578ae867486d00a4fa7aee12c418bde6c1d5a795f929

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4400	powershell.exe
69	1528	powershell.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3900	NETSTAT.EXE
2300	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4400	powershell.exe
4400	powershell.exe
5056	powershell.exe
5056	powershell.exe
2036	powershell.exe
2036	powershell.exe
1528	powershell.exe
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	3900	NETSTAT.EXE
Token: SeDebugPrivilege	2300	NETSTAT.EXE
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 3900	5116	cmd.exe	102
PID 5116 wrote to memory of 3900	5116	cmd.exe	102
PID 5116 wrote to memory of 2300	5116	cmd.exe	103
PID 5116 wrote to memory of 2300	5116	cmd.exe	103
PID 5116 wrote to memory of 5056	5116	cmd.exe	104
PID 5116 wrote to memory of 5056	5116	cmd.exe	104
PID 5116 wrote to memory of 2036	5116	cmd.exe	105
PID 5116 wrote to memory of 2036	5116	cmd.exe	105
PID 5116 wrote to memory of 1528	5116	cmd.exe	106
PID 5116 wrote to memory of 1528	5116	cmd.exe	106

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\target.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\system32\NETSTAT.EXE
  netstat -ano
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\system32\NETSTAT.EXE
  netstat -ano
  2⤵
  - Gathers network information
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell target.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -File target.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ep bypass -nop -File target.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43f4bec966ab901ac034fc136a642fa5

SHA1
8e7227cefec8b05c9a79b2751d1261187b9c0422

SHA256
09ea65cf68920d08638db30c86eb3c90254b9b2d9f73246bc0176c86ce687ae4

SHA512
a65a2fe6acf4cb0dae8361af3e42e35c6bfaa93859e744a7779630d785a56bb030161c92a74b88a223769fdb912911146a762cf6a8afe33642e2695ea08ceec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69cf03972459f5dde97823cd6b539e36

SHA1
2077a422cf983f5796bd270fe3a60d48e325163f

SHA256
aad3eab0f96ae69fc65aae94366ff4446e69139a2d71232988e7abf368a86089

SHA512
0875a6c66d7452f95d9bea6aac8d8a450c3ac05a88ad6bfd9418f77bf3977a896a787d1b98fb7b48402c4421d70f9e9fc578a8ccc88ae0cf1e56a60b3cc9c108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5afb2e6ea0396df69c8d082b7c0111b5

SHA1
ed3fe21a7591d295581a3270c0804e88ac9d3fde

SHA256
0cdd39b0d1adb03a8262ac587582c571c02a4c0d4767fe2094150d33eb1946b4

SHA512
d58837e7782e157189e3319fef42dcceaf68474d6d219b02d926580617ec10efd5b77294259e539b3b298b9844318d943a5d92b6408500454d67684319df8a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgbzwnsg.d0h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1528-61-0x00007FF9083F0000-0x00007FF908EB1000-memory.dmp

Filesize
10.8MB

Download
memory/1528-59-0x000001F5C8F30000-0x000001F5C8F40000-memory.dmp

Filesize
64KB

Download
memory/1528-58-0x00007FF9083F0000-0x00007FF908EB1000-memory.dmp

Filesize
10.8MB

Download
memory/1528-56-0x00007FF9083F0000-0x00007FF908EB1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-38-0x00007FF9083F0000-0x00007FF908EB1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-46-0x00007FF9083F0000-0x00007FF908EB1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-44-0x00000227AE490000-0x00000227AE4A0000-memory.dmp

Filesize
64KB

Download
memory/4400-13-0x00000185CBEC0000-0x00000185CBED0000-memory.dmp

Filesize
64KB

Download
memory/4400-16-0x00007FF908E40000-0x00007FF909901000-memory.dmp

Filesize
10.8MB

Download
memory/4400-12-0x00000185CBEC0000-0x00000185CBED0000-memory.dmp

Filesize
64KB

Download
memory/4400-11-0x00000185CBEC0000-0x00000185CBED0000-memory.dmp

Filesize
64KB

Download
memory/4400-10-0x00007FF908E40000-0x00007FF909901000-memory.dmp

Filesize
10.8MB

Download
memory/4400-5-0x00000185CE990000-0x00000185CE9B2000-memory.dmp

Filesize
136KB

Download
memory/5056-32-0x00007FF9083F0000-0x00007FF908EB1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-29-0x00000211746A0000-0x00000211746B0000-memory.dmp

Filesize
64KB

Download
memory/5056-23-0x00007FF9083F0000-0x00007FF908EB1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-24-0x00000211746A0000-0x00000211746B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing