1ceac12b416b129e0120c1685a03694f612b4dc00420e14d3c7698382c175bd7

General

Target

code.ps1
Size

1KB
MD5

0511ab9a7dc919cef5127b888d0b5da0
SHA1

49e8cd3f3dbd86d1ecae1188f124112be305ac66
SHA256

1ceac12b416b129e0120c1685a03694f612b4dc00420e14d3c7698382c175bd7
SHA512

0a251c9c53ff6f2fecf758ea0752a4f687719abe14793159ead8f37241bc7c2c79775cac0dd28de413fa94d84fe1a396f657aa3f154e3b456c3b38542a67e275

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1920	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1920	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1920	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2800	1920	powershell.exe	31
PID 1920 wrote to memory of 2800	1920	powershell.exe	31
PID 1920 wrote to memory of 2800	1920	powershell.exe	31
PID 2800 wrote to memory of 2884	2800	csc.exe	32
PID 2800 wrote to memory of 2884	2800	csc.exe	32
PID 2800 wrote to memory of 2884	2800	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fteiiqmj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA545.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA544.tmp"
    3⤵
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA545.tmp

Filesize
1KB

MD5
3e9f53b444eaade297fcc982e3feb846

SHA1
410bb428ffb8d7257b336fe762776821c7deb6d9

SHA256
fbed9c1d218e9c9bb14ec8ba7bc64c7ad4777186243064598f27f9d04f03f95f

SHA512
60bef5a5864354f328b196336382efbc33dc1a03bb848678c812182655efa52cb5c33b646ac6db6a18b530410faf1cd2b2d3311a616884ea542c0ecf1fa37390

Download Submit
C:\Users\Admin\AppData\Local\Temp\fteiiqmj.dll

Filesize
3KB

MD5
858930067b5c0612fef668bf5f82d036

SHA1
b4474f7549ca761408d408175a1612bcc39f864e

SHA256
6427af36c6ab02d6892ce4bd4a8d958ba57d9450e408c8af37003f4e80e9f834

SHA512
e46f8d512e27bd004acfa736814104ef7dd3409c983c22d103d127e9a7559836b1fdb9ac0465398de4202be6765aea8a4feecf887545b9c71a5b4467eb411e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fteiiqmj.pdb

Filesize
11KB

MD5
4b0bc280e820d403727a0e51ba47004b

SHA1
df76924e69840bf0551d0deb53f96b37338aeee8

SHA256
9d58fbbbdda369d58cd50fa8f61f792ffe34d78d0f51a88f60b49ec7de18f8bd

SHA512
edac785d049db3329bbe812de97f1fb6db74ca0ca373dbc25008210a7d8e692e4cb3e728ed10e0b651b6fd549f0a4af6031e8b780d9555b58d5da6beb3352101

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA544.tmp

Filesize
652B

MD5
baf795d985bebb2ce88067818fb699c0

SHA1
81d4adee5d38a0c54106dbb28f38f1978ec39275

SHA256
82eeb1a01eb16a67da8be12fcc62a4448ee60fb981b29e1b0e3b6672bb733300

SHA512
131887d6b0ed61887718e069a0da01249fe36f6265ee71b288583dae27accc6e65031f2f2a84cef9a6b70d970514d92d26508ff4a103b5dd066ec79821e333a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fteiiqmj.0.cs

Filesize
489B

MD5
ea6c51ac4ab3cca16440c5a0ccd33f16

SHA1
92f6552fe0189083cd5366a82dc50937da323129

SHA256
e1c966c2408f3da3db0f7b58e927f8300f11cf9e0498d9b5aab8a448221674db

SHA512
254b408666faf0b1837882df623a1a16765e805ffade2a33446b8f32d437be96f20af27b0c18a4d84186ecc1c4fd2fa0a533e2067c19be4da983808e5a497b61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fteiiqmj.cmdline

Filesize
309B

MD5
44b090237a54caef350a7a1ba01f06ca

SHA1
7ac36b2db7f618acf69c79cde1553fb5cb6af1ae

SHA256
e29c0f329a5c94e564e8ff2b5ac00708e25d7d5634cf1a90de294362c9dd05b7

SHA512
9e0d665ade73ed84ea1fb65b12d14a8aad27b65027e121ce48c9322255c13c77d5fa8cbc6827b62f3063e05f4965f585a24a76e010b2959cb94bc7411dd23ce5

Download Submit
memory/1920-14-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-23-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

Filesize
32KB

Download
memory/1920-26-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-10-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-7-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1920-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1920-4-0x000007FEF5EBE000-0x000007FEF5EBF000-memory.dmp

Filesize
4KB

Download
memory/1920-27-0x000007FEF5C00000-0x000007FEF659D000-memory.dmp

Filesize
9.6MB

Download
memory/1920-28-0x000007FEF5EBE000-0x000007FEF5EBF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing