e23d81cf88f4a5539ab0414342e50c7b63845c2abdcf1d496c8b7e8ac4e7cc68

Analysis

max time kernel
93s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ttteee.ps1
Size

616B
MD5

b1e34c3ba62204e7890f0b8786449e81
SHA1

5f7d401e3760ec4fb717efa38340088e6019b05c
SHA256

e23d81cf88f4a5539ab0414342e50c7b63845c2abdcf1d496c8b7e8ac4e7cc68
SHA512

6f8425fbf44a8dff2a97c18b6002d29aa7b8f60b82d0702871af344628bd7fd3c002e7cbcc920ec1a1dfd56454c527bad8ab18c95023c78728f49d3d08e79f87

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2944	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2944	powershell.exe
2944	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 4932	2944	powershell.exe	87
PID 2944 wrote to memory of 4932	2944	powershell.exe	87
PID 4932 wrote to memory of 3536	4932	csc.exe	88
PID 4932 wrote to memory of 3536	4932	csc.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ttteee.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r2hfnxcc\r2hfnxcc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0C4.tmp" "c:\Users\Admin\AppData\Local\Temp\r2hfnxcc\CSC27B868AF9D9B4700924D97EA7B9FCEC.TMP"
    3⤵
    PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA0C4.tmp

Filesize
1KB

MD5
eedcf1394824465eabe33f9fa47e25ea

SHA1
9261f013f9a988e253d011c886992e059277860f

SHA256
19af392d53053d9d2f94564570747bf18aabcc3292f0d8dfd985726392d9d5cd

SHA512
154b7cdd4a6dbf4808bca8e12349b084977966d9fd7506034e94a4f111fa063168c52bff5cf716b8bc41859a8dfd61835ed9ed577b4c4957a6c653f8fbbd61ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izppbqru.dds.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2hfnxcc\r2hfnxcc.dll

Filesize
3KB

MD5
2b37a499692f80bacdbc4cb814f7b48d

SHA1
ab8d1bb511996a4dc220958b38f1203bb2ec1fad

SHA256
88e30bfcd93866c7e4d6df89d615db749ea257fcebb9f41cb20365058fe40dd7

SHA512
adaa28baab8a558f6e13a69797f78c97644bccb50eb9de84db4977c2e61325cd50e7ad1893c149def6f76acccfaa74717f036fcb9fdf799c718ccf9f84161ccd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r2hfnxcc\CSC27B868AF9D9B4700924D97EA7B9FCEC.TMP

Filesize
652B

MD5
5da255cae5a90552b71b6dfcfed0f425

SHA1
54460a8214f7febe454c42a99238f7aa7e69483a

SHA256
80b30811c38605db49f9f8f14609e3bd1ecccb228099fbc89ab198b05f93dfe2

SHA512
b6301cd10d3da7e79f116292ec4a7e9097afecfdd2821b44c0c318fe879a07b6b46ee78b5669099de6acfb39f2b8644042dae646c253cf1bcbcf8bd34abf2750

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r2hfnxcc\r2hfnxcc.0.cs

Filesize
293B

MD5
f74945ba6eef5d976da8a775e22ecbd7

SHA1
920861d0ea17bf9dd114f0d10df56fa278e7abab

SHA256
6e2594cc5c1101adbaa04d1494d122332d372767b11c435ce50ef01aff688617

SHA512
9d1b3bae83b7b69868817b51438243f9343659bd8d3b6e170e1b767dded62bae39d450fee4e4ae444313deaad50a59806f71092ced729b43f0304177b9c39f6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r2hfnxcc\r2hfnxcc.cmdline

Filesize
369B

MD5
a2d40c2cc7dc0ccf88e9b84e1726a47e

SHA1
18d8291d8def98f45572b9489890129bf7e66406

SHA256
78bb0afdfdce61b257ba8bf52b1121b52891495d44a52cdc743145f08da626a7

SHA512
125b422000a8cc69fa5d6949b7bfd099d710058f4c46913e724a43250c57dec1feca13b147df40778f532b2b2536b5ea7567057c3331d481156818aefcc6b966

Download Submit
memory/2944-11-0x00007FFC45890000-0x00007FFC46351000-memory.dmp

Filesize
10.8MB

Download
memory/2944-12-0x00007FFC45890000-0x00007FFC46351000-memory.dmp

Filesize
10.8MB

Download
memory/2944-0-0x00007FFC45893000-0x00007FFC45895000-memory.dmp

Filesize
8KB

Download
memory/2944-25-0x0000019E39690000-0x0000019E39698000-memory.dmp

Filesize
32KB

Download
memory/2944-6-0x0000019E396B0000-0x0000019E396D2000-memory.dmp

Filesize
136KB

Download
memory/2944-27-0x00007FFC45893000-0x00007FFC45895000-memory.dmp

Filesize
8KB

Download
memory/2944-28-0x00007FFC45890000-0x00007FFC46351000-memory.dmp

Filesize
10.8MB

Download
memory/2944-29-0x00007FFC45890000-0x00007FFC46351000-memory.dmp

Filesize
10.8MB

Download
memory/2944-32-0x00007FFC45890000-0x00007FFC46351000-memory.dmp

Filesize
10.8MB

Download