e23d81cf88f4a5539ab0414342e50c7b63845c2abdcf1d496c8b7e8ac4e7cc68

General

Target

ttteee.ps1
Size

616B
MD5

b1e34c3ba62204e7890f0b8786449e81
SHA1

5f7d401e3760ec4fb717efa38340088e6019b05c
SHA256

e23d81cf88f4a5539ab0414342e50c7b63845c2abdcf1d496c8b7e8ac4e7cc68
SHA512

6f8425fbf44a8dff2a97c18b6002d29aa7b8f60b82d0702871af344628bd7fd3c002e7cbcc920ec1a1dfd56454c527bad8ab18c95023c78728f49d3d08e79f87

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	920	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
920	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
920	powershell.exe
920	powershell.exe
920	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 4544	920	powershell.exe	75
PID 920 wrote to memory of 4544	920	powershell.exe	75
PID 4544 wrote to memory of 4636	4544	csc.exe	76
PID 4544 wrote to memory of 4636	4544	csc.exe	76

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ttteee.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oopzegn4\oopzegn4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7BA8.tmp" "c:\Users\Admin\AppData\Local\Temp\oopzegn4\CSC3FB9CA8A5E674B5DB3D5E4F22578915.TMP"
    3⤵
    PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7BA8.tmp

Filesize
1KB

MD5
54a7650d82b92b2685c9644736bd8455

SHA1
4a3bb86ccde1bcf140c44ff1a1a08cd058fc85d7

SHA256
547f1976586aaf4812ed8f73c4e1b16f50771b26d9780019225d536bffb92fee

SHA512
9be333fe27238863583bf67920d8e8915037e24411c004d85b5536579e98c0107c3547286a8c37fce1144c96e1b23d22ed95f682604efadbd9ab05d5d7ef629f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31syeqft.hum.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oopzegn4\oopzegn4.dll

Filesize
3KB

MD5
968f2f557516f90bbe23013b601fe119

SHA1
45134b7b80acf3be19210ce20c8f37805dfd6057

SHA256
b9116059b1432bfc595af34c4aa2a90ddff5891bfb7ea3eb62d98f6fed722962

SHA512
d76df40fb0a0eb1f501aa3a519b856f46036e93652ade5d0645d1affea797da7e0147e7c5c5d54fb2f6638a3f0ee2b319972205925251339d70c2202437430cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oopzegn4\CSC3FB9CA8A5E674B5DB3D5E4F22578915.TMP

Filesize
652B

MD5
1647646760c3de5e948adf5b46830dca

SHA1
952e361e15d33725a993b58b10950842c0f4b241

SHA256
34695e844b9fb7c8db6342a30dd627cc9fb3eee946e350b67c47755e6f083748

SHA512
39413d4a4afe1598f996218ea12a11eb648bf78e5120b007acf39b78595487586b6eaa32b24d4d5f47ab82ae2ef68c5ff9bdfdacc7e5755e4e5cacc34b169ebf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oopzegn4\oopzegn4.0.cs

Filesize
293B

MD5
f74945ba6eef5d976da8a775e22ecbd7

SHA1
920861d0ea17bf9dd114f0d10df56fa278e7abab

SHA256
6e2594cc5c1101adbaa04d1494d122332d372767b11c435ce50ef01aff688617

SHA512
9d1b3bae83b7b69868817b51438243f9343659bd8d3b6e170e1b767dded62bae39d450fee4e4ae444313deaad50a59806f71092ced729b43f0304177b9c39f6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oopzegn4\oopzegn4.cmdline

Filesize
369B

MD5
1f880419ac59b374f194c3fa06a52e4b

SHA1
334d5e2f15dd106b3b005199597241f08ecad66c

SHA256
7cba43c3d8ec4fa59589cb0116c63b9a67819ff4be13127c5616445aa9d53eaf

SHA512
b5d2f5807e2a4a426152eb06f173aeca158f38afec091e2321b3fb54a4e53afcfe13b76168165c536ddc48d4bbd406eb8af84b0806bcd9b639bb4ac4e9a425b2

Download Submit
memory/920-8-0x000001E7EDC20000-0x000001E7EDC96000-memory.dmp

Filesize
472KB

Download
memory/920-2-0x00007FFC45323000-0x00007FFC45324000-memory.dmp

Filesize
4KB

Download
memory/920-10-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/920-9-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/920-5-0x000001E7ED9D0000-0x000001E7ED9F2000-memory.dmp

Filesize
136KB

Download
memory/920-37-0x000001E7D5450000-0x000001E7D5458000-memory.dmp

Filesize
32KB

Download
memory/920-39-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/920-40-0x00007FFC45323000-0x00007FFC45324000-memory.dmp

Filesize
4KB

Download
memory/920-59-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download
memory/920-63-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing