66ddc48b67efc492b819cce8eb88db85699b98ea94d5941cbb8a4cd682bb385e

General

Target

66c4a56e96ab90c7b672dfb8a238a2c0N.ps1
Size

685KB
MD5

66c4a56e96ab90c7b672dfb8a238a2c0
SHA1

6085884e21931554311664724f2c58d81312ed8e
SHA256

66ddc48b67efc492b819cce8eb88db85699b98ea94d5941cbb8a4cd682bb385e
SHA512

e98b839173f3c140ae98685eb7726c529d5caa04ce21f7dcccf9046ffa7d53214ee4d5ba6de8c764e0c45e8ed0679525ab624d3a4a4098c08ecc6aec31a7cf30
SSDEEP

12288:8ppYXT60Mv5a8kebcetZ3Aq7dIzWokCUxEgf/AxHhICOk2imcMsk:fXWZ5PbcqdIzWokCiHovICOk2/D

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
9	2860	powershell.exe
32	2860	powershell.exe
34	2860	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2860	powershell.exe
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3592	2860	powershell.exe	95
PID 2860 wrote to memory of 3592	2860	powershell.exe	95
PID 3592 wrote to memory of 4744	3592	csc.exe	96
PID 3592 wrote to memory of 4744	3592	csc.exe	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\66c4a56e96ab90c7b672dfb8a238a2c0N.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eewts5hy\eewts5hy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE79.tmp" "c:\Users\Admin\AppData\Local\Temp\eewts5hy\CSCF53F8F4BAA4343C8B9E368EC42BB1D.TMP"
    3⤵
    PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDE79.tmp

Filesize
1KB

MD5
ac545599bb98a9b1f7df710ac2c3013e

SHA1
0569338822bcdb213a982a04fa956e4619528ee7

SHA256
d4bbd3e251aab913b5d87ade56a4e722ebd6bcd99f6f46761a9ff84cfac87bcd

SHA512
0ca8d15bf1e86067b49b223026fef77b76644da0a78a9982797e86d2206762307433a36ac9446e02ed546561a1ab3a2e96c34915ef52ca6fd1d958c7dce08a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uq45otih.4dw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eewts5hy\eewts5hy.dll

Filesize
4KB

MD5
697d6b29f1ed87b00e8af6fa570a1bf1

SHA1
42ffa00a610afce4832847b76fb023199830808b

SHA256
e291046a33b1fd5314e1810d50993ec6b4e38d7b4c7ed06a173ba013172f5f12

SHA512
da314753f1649c5321546575744633d3d07cab684cea3219c2e2d905b69e33e66573c1c609e701daa81aad985bb8260c2fc9354e6e9ee3d12aaa41e91b4ae494

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eewts5hy\CSCF53F8F4BAA4343C8B9E368EC42BB1D.TMP

Filesize
652B

MD5
c05e80acbd332a8384b071f75c04bb57

SHA1
c1147ed11aa0ee58c94b67ddc73dfe1af011e7e4

SHA256
71a1d410cf0dbfc7a29dae726c6f71f61d2f73cd3a424eedf6e7734c467dc2ca

SHA512
dd987b4127c39f28abe0b606120df40e53797c920c50ff6c34a6215d4876164c065210dbfac027ff45e948344a0e33800f1c2e4776850b42568e56f82d882802

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eewts5hy\eewts5hy.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eewts5hy\eewts5hy.cmdline

Filesize
369B

MD5
bbf86565b45819485601c6df2a2ce25b

SHA1
8df86459fead06cae026a54363599b43e193d215

SHA256
fc85c932e229d4579349dab9bdc85160d2037759738dac139889af82ea0f88b5

SHA512
0afc169c77d64d73bd03348d7247b42ff72dab680d50c3fff95614206f0870d3f4ead920df09f20e323677cce55cf9e7670d0d4afa50e6d3a4375a3148de9fd2

Download Submit
memory/2860-12-0x00007FFFD6CD0000-0x00007FFFD7791000-memory.dmp

Filesize
10.8MB

Download
memory/2860-15-0x00007FFFD6CD0000-0x00007FFFD7791000-memory.dmp

Filesize
10.8MB

Download
memory/2860-16-0x00007FFFD6CD0000-0x00007FFFD7791000-memory.dmp

Filesize
10.8MB

Download
memory/2860-14-0x00007FFFD6CD3000-0x00007FFFD6CD5000-memory.dmp

Filesize
8KB

Download
memory/2860-13-0x00007FFFD6CD0000-0x00007FFFD7791000-memory.dmp

Filesize
10.8MB

Download
memory/2860-0-0x00007FFFD6CD3000-0x00007FFFD6CD5000-memory.dmp

Filesize
8KB

Download
memory/2860-11-0x00007FFFD6CD0000-0x00007FFFD7791000-memory.dmp

Filesize
10.8MB

Download
memory/2860-1-0x0000024636980000-0x00000246369A2000-memory.dmp

Filesize
136KB

Download
memory/2860-29-0x000002461E400000-0x000002461E408000-memory.dmp

Filesize
32KB

Download
memory/2860-31-0x00007FFFD6CD0000-0x00007FFFD7791000-memory.dmp

Filesize
10.8MB

Download
memory/2860-32-0x00007FFFD6CD0000-0x00007FFFD7791000-memory.dmp

Filesize
10.8MB

Download
memory/2860-35-0x00007FFFD6CD0000-0x00007FFFD7791000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing