3baf5d6b62a07f1df65c685f2fffa05ebdf0cc1b198973f17b53e007cbe67bc8

Analysis

max time kernel
93s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.ps1
Size

1KB
MD5

6ed31ee3f854fd84e7bb44dba630c816
SHA1

ddae29921034683b4a0779edae464dd1fffe09eb
SHA256

3baf5d6b62a07f1df65c685f2fffa05ebdf0cc1b198973f17b53e007cbe67bc8
SHA512

c38a69066a18a885f1b4864404eb671d7f8124f0b29a884fea80035537216d1192c9f5b47d62a013af16b80c3fce7418068a6402c1bbb513913576d1f2a74bec

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	3744	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1512	sc.exe
2468	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3744	powershell.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4860	reg.exe
2796	reg.exe
4072	reg.exe
1680	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3120	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3744	powershell.exe
3744	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3744	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 4476	3744	powershell.exe	87
PID 3744 wrote to memory of 4476	3744	powershell.exe	87
PID 4476 wrote to memory of 1512	4476	cmd.exe	89
PID 4476 wrote to memory of 1512	4476	cmd.exe	89
PID 4476 wrote to memory of 5068	4476	cmd.exe	90
PID 4476 wrote to memory of 5068	4476	cmd.exe	90
PID 4476 wrote to memory of 1804	4476	cmd.exe	91
PID 4476 wrote to memory of 1804	4476	cmd.exe	91
PID 4476 wrote to memory of 2776	4476	cmd.exe	92
PID 4476 wrote to memory of 2776	4476	cmd.exe	92
PID 4476 wrote to memory of 3528	4476	cmd.exe	93
PID 4476 wrote to memory of 3528	4476	cmd.exe	93
PID 4476 wrote to memory of 4776	4476	cmd.exe	94
PID 4476 wrote to memory of 4776	4476	cmd.exe	94
PID 4476 wrote to memory of 4064	4476	cmd.exe	95
PID 4476 wrote to memory of 4064	4476	cmd.exe	95
PID 4064 wrote to memory of 2196	4064	cmd.exe	96
PID 4064 wrote to memory of 2196	4064	cmd.exe	96
PID 4064 wrote to memory of 3008	4064	cmd.exe	97
PID 4064 wrote to memory of 3008	4064	cmd.exe	97
PID 4476 wrote to memory of 4344	4476	cmd.exe	98
PID 4476 wrote to memory of 4344	4476	cmd.exe	98
PID 4476 wrote to memory of 4720	4476	cmd.exe	99
PID 4476 wrote to memory of 4720	4476	cmd.exe	99
PID 4476 wrote to memory of 4980	4476	cmd.exe	100
PID 4476 wrote to memory of 4980	4476	cmd.exe	100
PID 4476 wrote to memory of 4072	4476	cmd.exe	101
PID 4476 wrote to memory of 4072	4476	cmd.exe	101
PID 4476 wrote to memory of 2148	4476	cmd.exe	102
PID 4476 wrote to memory of 2148	4476	cmd.exe	102
PID 4476 wrote to memory of 1680	4476	cmd.exe	103
PID 4476 wrote to memory of 1680	4476	cmd.exe	103
PID 4476 wrote to memory of 2244	4476	cmd.exe	104
PID 4476 wrote to memory of 2244	4476	cmd.exe	104
PID 2244 wrote to memory of 4860	2244	cmd.exe	106
PID 2244 wrote to memory of 4860	2244	cmd.exe	106
PID 2244 wrote to memory of 2468	2244	cmd.exe	107
PID 2244 wrote to memory of 2468	2244	cmd.exe	107
PID 2244 wrote to memory of 636	2244	cmd.exe	108
PID 2244 wrote to memory of 636	2244	cmd.exe	108
PID 2244 wrote to memory of 1152	2244	cmd.exe	109
PID 2244 wrote to memory of 1152	2244	cmd.exe	109
PID 2244 wrote to memory of 4444	2244	cmd.exe	110
PID 2244 wrote to memory of 4444	2244	cmd.exe	110
PID 2244 wrote to memory of 4844	2244	cmd.exe	111
PID 2244 wrote to memory of 4844	2244	cmd.exe	111
PID 2244 wrote to memory of 396	2244	cmd.exe	112
PID 2244 wrote to memory of 396	2244	cmd.exe	112
PID 2244 wrote to memory of 1748	2244	cmd.exe	113
PID 2244 wrote to memory of 1748	2244	cmd.exe	113
PID 2244 wrote to memory of 4544	2244	cmd.exe	114
PID 2244 wrote to memory of 4544	2244	cmd.exe	114
PID 2244 wrote to memory of 2920	2244	cmd.exe	115
PID 2244 wrote to memory of 2920	2244	cmd.exe	115
PID 2920 wrote to memory of 756	2920	cmd.exe	116
PID 2920 wrote to memory of 756	2920	cmd.exe	116
PID 2920 wrote to memory of 1172	2920	cmd.exe	117
PID 2920 wrote to memory of 1172	2920	cmd.exe	117
PID 2244 wrote to memory of 2008	2244	cmd.exe	118
PID 2244 wrote to memory of 2008	2244	cmd.exe	118
PID 2244 wrote to memory of 3996	2244	cmd.exe	119
PID 2244 wrote to memory of 3996	2244	cmd.exe	119
PID 2244 wrote to memory of 8	2244	cmd.exe	120
PID 2244 wrote to memory of 8	2244	cmd.exe	120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\MAS_2629521.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:1512
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:5068
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_2629521.cmd"
    3⤵
    PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:2776
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:3528
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:2196
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_2629521.cmd" "
    3⤵
    PID:4344
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4720
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:4980
- - C:\Windows\System32\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    - Modifies registry key
    PID:4072
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:2148
- - C:\Windows\System32\reg.exe
    reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
    3⤵
    - Modifies registry key
    PID:1680
- - C:\Windows\System32\cmd.exe
    cmd.exe /c ""C:\Windows\Temp\MAS_2629521.cmd" -qedit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\System32\reg.exe
      reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
      4⤵
      Modifies registry key
      PID:4860
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      Launches sc.exe
      PID:2468
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:636
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_2629521.cmd"
      4⤵
      PID:1152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:4444
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:4844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:396
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:1748
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:4544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:756
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:1172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Windows\Temp\MAS_2629521.cmd" "
      4⤵
      PID:2008
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:3996
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:8
  - - C:\Windows\System32\reg.exe
      reg query HKCU\Console /v QuickEdit
      4⤵
      Modifies registry key
      PID:2796
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:2900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      PID:2864
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        Runs ping.exe
        
        PID:3120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
      4⤵
      PID:1984
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.6" "
      4⤵
      PID:1808
  - - C:\Windows\System32\find.exe
      find "127.69.2.6"
      4⤵
      PID:3336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:3240
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:3552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "-qedit" "
      4⤵
      PID:2080
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:3328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:4068
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:3820
  - - C:\Windows\System32\mode.com
      mode 76, 30
      4⤵
      PID:1636
  - - C:\Windows\System32\choice.exe
      choice /C:123456780 /N
      4⤵
      PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kwjt0gbh.4cq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\MAS_2629521.cmd

Filesize
438KB

MD5
c42d55911dc34e63ab53115d55a544e5

SHA1
ba2d816f672f965086c5e5d2514582b0505f7b49

SHA256
e9b385b7747bb92735450d2090423199f2049d249a1ddceba1aecbd99bb0418e

SHA512
0ade098dad408d36d2286299f9d960701ee2de666fcd8311d895806ca72bef569c47ead673e52d4e6e67714e298dcf994713807cf79d164642bec7a42533427d

Download Submit
memory/3744-0-0x00007FFFE0893000-0x00007FFFE0895000-memory.dmp

Filesize
8KB

Download
memory/3744-10-0x000001E6341B0000-0x000001E6341D2000-memory.dmp

Filesize
136KB

Download
memory/3744-11-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

Filesize
10.8MB

Download
memory/3744-12-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

Filesize
10.8MB

Download
memory/3744-14-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

Filesize
10.8MB

Download
memory/3744-18-0x000001E633580000-0x000001E63379C000-memory.dmp

Filesize
2.1MB

Download
memory/3744-19-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

Filesize
10.8MB

Download
memory/3744-21-0x00007FFFE0893000-0x00007FFFE0895000-memory.dmp

Filesize
8KB

Download
memory/3744-22-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

Filesize
10.8MB

Download
memory/3744-23-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

Filesize
10.8MB

Download