9fca82ac9d1a70b7e09177b8dbc98e6f26c5cf0eb65ae78717d7fd4f7bc554b6

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bCelery.github.io-1.0.5-c/a.ps1
Size

492B
MD5

667d2373562f3e6411197a6280dbf8c1
SHA1

1f101bca3721e26f59ba45182d304bd55b6c53c4
SHA256

dc42a6abf71ff256b28fe1d294cbbeba45848a9ac5f201a97c9e77691143745f
SHA512

8f157e28c5f5d2ac9a09672b338aa336ed5142ccfb6adbb5b48f232ec40694d95df252687da20da7f4b24ad629fd85606547beefd5e09bac12b49183eade8bda

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
7	180	powershell.exe
9	180	powershell.exe
19	180	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3556	powershell.exe
180	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3556	powershell.exe
3556	powershell.exe
180	powershell.exe
180	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	180	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3520	3556	powershell.exe	87
PID 3556 wrote to memory of 3520	3556	powershell.exe	87
PID 3520 wrote to memory of 1436	3520	cmd.exe	89
PID 3520 wrote to memory of 1436	3520	cmd.exe	89
PID 1436 wrote to memory of 4936	1436	net.exe	90
PID 1436 wrote to memory of 4936	1436	net.exe	90
PID 3520 wrote to memory of 180	3520	cmd.exe	91
PID 3520 wrote to memory of 180	3520	cmd.exe	91
PID 180 wrote to memory of 1532	180	powershell.exe	92
PID 180 wrote to memory of 1532	180	powershell.exe	92
PID 1532 wrote to memory of 3928	1532	csc.exe	93
PID 1532 wrote to memory of 3928	1532	csc.exe	93

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\bCelery.github.io-1.0.5-c\a.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\betterCeleryRun.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "irm bcelery.github.io/src/gui.ps1 | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:180
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yy2lw43e\yy2lw43e.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA400.tmp" "c:\Users\Admin\AppData\Local\Temp\yy2lw43e\CSCA5EAFC3C904349B2A34A52B38A5CFFAB.TMP"
        5⤵
        
        PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA400.tmp

Filesize
1KB

MD5
d5df492abae133a9b18591a2b8dcc9cb

SHA1
00919c7063d56710de47c93642adf2ad0899791d

SHA256
fa4d0b6ca6e8c8ac17118c2826960feb292bc12b05211b321d7bc9908b5b3278

SHA512
22eb4c6b362bf599f20d7a3f98486452b7d257e7680b27d8ac1bf2e3da73135fb15c26745aec20ed265f64df4fd6fd55fcfa1602386aa7421539273badc7f95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieflgwmd.ggw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yy2lw43e\yy2lw43e.dll

Filesize
3KB

MD5
33f625f4734cd4268f4548f606b874f4

SHA1
307ab912a93aa15bf358ac7911fc2221da9b496d

SHA256
60852950f3a563568312b2074497c3c1a89718c045530cac5a7731d05e850095

SHA512
79e769eabc4485fea355818a6d94553a39a17cd798f4083ef660b6333f3f4babc014874ec1a39873ba4f42d545563d32bcd308112368476958d34ed669cf54e2

Download Submit
C:\Users\Admin\Documents\betterCeleryRun.cmd

Filesize
272B

MD5
f0dc748048d93bfcffeade9e70839e47

SHA1
f499891181bb8f8ce9f11f4ea531e4406b791d53

SHA256
30f45fd0cf8ad465a14fef1f26049a77dd7dafc6073478c921318a0b345ae84c

SHA512
c3bc0c87227b7429e76ed6c308918c2de339064bd87d790a717971b25e1165c01767e57c7f24edb17f76196b13315a98056a59c631b93000c30ad4d73901fb1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yy2lw43e\CSCA5EAFC3C904349B2A34A52B38A5CFFAB.TMP

Filesize
652B

MD5
1ac37c0e66373a28b39583f77ed948b5

SHA1
e992ec713c051f9811d4b4958bb904280ea6073a

SHA256
723573ee10c4ee3078588102b3cd7566cb7e5e9f18f2629561db0cbaec79d7a0

SHA512
467e5ff22fff14a73cb27c3a8e70389fbef664b232b2f0394d24080320c6cdb33f9bd14da54d020bf3d9013606781731a745fc606a53c12bb96860f04bb62f9f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yy2lw43e\yy2lw43e.0.cs

Filesize
1KB

MD5
b983dc31d9cc03fa0a806d03d41a442a

SHA1
1119fb39e7e468826237c9ca89b3eb837755360b

SHA256
af8f55a45d929c65f9ec3900760c74c24020ee7f61c92ca0b750ee374bb8b232

SHA512
c2166540f72fc70dd2189c29260a0ad66628fba431546455317fd6cad50b86a0731756779e7ccac2197b90a348859f3f239bf70271bbcb279dffc2afadec7d18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yy2lw43e\yy2lw43e.cmdline

Filesize
369B

MD5
f06e645a83dff0bc796a3b6ef834b992

SHA1
70e50feb2ff147268f5023bfcbbcaf71cdc62b36

SHA256
143bc909bce679dd6d55d2c98e45e8c08674446f80258d7a28d92ca89365aa63

SHA512
bfb3a386f81a21ef74472b04b11efc598ef3d08ba2a8030af3f1388d1ec28de8badfaed3c0022d8fadcf6f08fe396fde8e7cf43e1e15783599acc0ecd62f93da

Download Submit
memory/180-32-0x00007FFE7A0C0000-0x00007FFE7AB81000-memory.dmp

Filesize
10.8MB

Download
memory/180-31-0x00007FFE7A0C0000-0x00007FFE7AB81000-memory.dmp

Filesize
10.8MB

Download
memory/180-34-0x0000027659E20000-0x0000027659FE2000-memory.dmp

Filesize
1.8MB

Download
memory/180-21-0x00007FFE7A0C0000-0x00007FFE7AB81000-memory.dmp

Filesize
10.8MB

Download
memory/180-47-0x0000027657740000-0x0000027657748000-memory.dmp

Filesize
32KB

Download
memory/180-49-0x000002765A7A0000-0x000002765AF46000-memory.dmp

Filesize
7.6MB

Download
memory/180-51-0x0000027E5B480000-0x0000027E5B9A8000-memory.dmp

Filesize
5.2MB

Download
memory/180-52-0x00007FFE7A0C0000-0x00007FFE7AB81000-memory.dmp

Filesize
10.8MB

Download
memory/3556-0-0x00007FFE7A263000-0x00007FFE7A265000-memory.dmp

Filesize
8KB

Download
memory/3556-18-0x00007FFE7A260000-0x00007FFE7AD21000-memory.dmp

Filesize
10.8MB

Download
memory/3556-12-0x00007FFE7A260000-0x00007FFE7AD21000-memory.dmp

Filesize
10.8MB

Download
memory/3556-11-0x00007FFE7A260000-0x00007FFE7AD21000-memory.dmp

Filesize
10.8MB

Download
memory/3556-1-0x0000024562F80000-0x0000024562FA2000-memory.dmp

Filesize
136KB

Download