1981f33487cf5b907de5ed1d44ccd5f0664248b54ed99d7f526cd67ff0b43d2a

General

Target

file.ps1
Size

19B
MD5

d297f8427954b956e7676e1df8ac5c5d
SHA1

92efbb85acdb95ce97848cd39eb642ee9ed30176
SHA256

1981f33487cf5b907de5ed1d44ccd5f0664248b54ed99d7f526cd67ff0b43d2a
SHA512

efb5ae08929d5bf9e175212ff2aae3c91b9f11f8698a752c685a574e84925c2aad02536b6ba3de367f144905c30693f60babd8f3415e22990e30ab6747ea7141

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File created	C:\Windows\System32\LogonUI.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2908	powershell.exe
2908	powershell.exe
2908	powershell.exe
912	powershell.exe
912	powershell.exe
912	powershell.exe
2396	PowerShell.exe
2396	PowerShell.exe
2396	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2396	PowerShell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 4088	4040	cmd.exe	90
PID 4040 wrote to memory of 4088	4040	cmd.exe	90
PID 4040 wrote to memory of 5088	4040	cmd.exe	91
PID 4040 wrote to memory of 5088	4040	cmd.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4616

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Windows'
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" start cmd.exe /k @echo a 1>C:\Windows"
  2⤵
  PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo a 1>C:\Windows"
  2⤵
  PID:5088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obhe5dvd.ywr.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Filesize
21B

MD5
05e322bed267ef3aed20d4b11cf8e807

SHA1
c1068c7a77edfdb200b285f439fc4d7d76af0da8

SHA256
e604eb19ce1b369745727491a1ec8f15f19a4ab94165d46191ca73e6edd911c2

SHA512
733776998c18c17a9b09c9907811f8725f47b0829b46ea560d94f94d1b5501d32de6250009b0b42acdd3496f7846932638fda932c3b9d7f248a87039519ec91e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
5KB

MD5
3fe60d3e64fde51cc52dedda293bd0e3

SHA1
857cc97e1028a2b0e97030f04d9bb52e584ffc3a

SHA256
c628a9f17b4809e70f55c1ae840039be6b0bc3b0a25a45d9104116a807d1d2c6

SHA512
860ac0726ff5440ba1379a753b38f1047430eef0a68fdb626452f7d2a49ddacbf3bba4d5ee686fd348d561ac05e1b67d7b7b657db97b76ad5063aac84733e1ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
e3aaf00d8d9b048dbe9bf7d38ca6edce

SHA1
f181a5b0ec2fbf405741793c51d4d5b90f2b6b08

SHA256
86ae34e729e2dad18fb1669d98252c7ef39588e1c918de4ccfa4da3d9456bca3

SHA512
41009587ceb4f6fad7f891c97e6965270b867cd98d10234d391dd87dd3dd1e15f2f35e3e14d87044d728e1a99a684088076ac0ce419a1259b619b827ff574777

Download Submit
memory/912-102-0x000001EA41660000-0x000001EA41670000-memory.dmp

Filesize
64KB

Download
memory/912-110-0x00007FF9F2D50000-0x00007FF9F373C000-memory.dmp

Filesize
9.9MB

Download
memory/912-40-0x00007FF9F2D50000-0x00007FF9F373C000-memory.dmp

Filesize
9.9MB

Download
memory/912-42-0x000001EA41660000-0x000001EA41670000-memory.dmp

Filesize
64KB

Download
memory/912-44-0x000001EA41660000-0x000001EA41670000-memory.dmp

Filesize
64KB

Download
memory/912-71-0x000001EA41850000-0x000001EA4188C000-memory.dmp

Filesize
240KB

Download
memory/912-87-0x00007FF9F2D50000-0x00007FF9F373C000-memory.dmp

Filesize
9.9MB

Download
memory/912-88-0x000001EA41660000-0x000001EA41670000-memory.dmp

Filesize
64KB

Download
memory/912-108-0x000001EA41660000-0x000001EA41670000-memory.dmp

Filesize
64KB

Download
memory/912-103-0x000001EA41660000-0x000001EA41670000-memory.dmp

Filesize
64KB

Download
memory/2396-170-0x00007FF9F2970000-0x00007FF9F335C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-177-0x000001F79C350000-0x000001F79C360000-memory.dmp

Filesize
64KB

Download
memory/2396-180-0x00007FF9F2970000-0x00007FF9F335C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-172-0x000001F79C350000-0x000001F79C360000-memory.dmp

Filesize
64KB

Download
memory/2396-119-0x00007FF9F2970000-0x00007FF9F335C000-memory.dmp

Filesize
9.9MB

Download
memory/2396-121-0x000001F79C350000-0x000001F79C360000-memory.dmp

Filesize
64KB

Download
memory/2396-171-0x000001F79C350000-0x000001F79C360000-memory.dmp

Filesize
64KB

Download
memory/2396-123-0x000001F79C350000-0x000001F79C360000-memory.dmp

Filesize
64KB

Download
memory/2908-34-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-4-0x000001B8987A0000-0x000001B8987C2000-memory.dmp

Filesize
136KB

Download
memory/2908-5-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-9-0x000001B898950000-0x000001B8989C6000-memory.dmp

Filesize
472KB

Download
memory/2908-6-0x000001B8985F0000-0x000001B898600000-memory.dmp

Filesize
64KB

Download
memory/2908-30-0x000001B8985F0000-0x000001B898600000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing