e40b1c97536de542e4e23d0ae4508be0a8738542985d41b1aaaa34d38a870ce2

General

Target

file.ps1
Size

913B
MD5

93ba68e441acfd1891c26c36f876318c
SHA1

a448bddfe614476519bdb1d3529a1739670221d5
SHA256

e40b1c97536de542e4e23d0ae4508be0a8738542985d41b1aaaa34d38a870ce2
SHA512

c958f7b9917f15df3ff2dda87a53a5007dfe71565843a79c913151daad1b26064602c8d19d8e509b2a08eb1c50e740d79002fe0dc1e5f12c2bdd3682aabbe252

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2616	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2768	2616	powershell.exe	31
PID 2616 wrote to memory of 2768	2616	powershell.exe	31
PID 2616 wrote to memory of 2768	2616	powershell.exe	31
PID 2768 wrote to memory of 2640	2768	csc.exe	32
PID 2768 wrote to memory of 2640	2768	csc.exe	32
PID 2768 wrote to memory of 2640	2768	csc.exe	32
PID 2616 wrote to memory of 2744	2616	powershell.exe	33
PID 2616 wrote to memory of 2744	2616	powershell.exe	33
PID 2616 wrote to memory of 2744	2616	powershell.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fu3i2lq6.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF623.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF622.tmp"
    3⤵
    PID:2640
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2616" "944"
  2⤵
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259456337.txt

Filesize
1KB

MD5
ab5751f29f497823ada0d7208183625e

SHA1
569f1bc96031fa9101b392ca6f2c9c8213118484

SHA256
54e5944aa35586544642b9c216ea0c03f3314aa63ed3daad018092c2b722aba3

SHA512
a72d53787b6fcae552937cbf45df2d54ca085edf2dbbaecd26111de24e9a9e1fa956b70a4db46948aa63e114eff94a3f205ed828209a5c9798d3d36a2a5d5e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF623.tmp

Filesize
1KB

MD5
d977c66e884f8d6e6ba7f395397973c2

SHA1
87be6bea3c3438a87dd28a9b2a069e652d0cd1f1

SHA256
701e0fa0116b8e49a35903166213a059ef75d1ac1ad60874f483b29a52f241c8

SHA512
bc873f10ed65a274541cb05ae7c786006b4127615d2fa62e11206d26b6bea07222651cc395a514ab5ea1f2d96bdc4509eaaa50a29579d72c90ab15728149b27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fu3i2lq6.dll

Filesize
3KB

MD5
3e4a8061696583610196f26eadacca30

SHA1
7551b8749868f7f9ce66fac82833d60e315577ac

SHA256
30b3867b74c89f06747ec6308f9839b5af5a58d0149394c159762c6d595bc9c6

SHA512
277beeade2b161bf918b8f3f90001e8cc0fed3a592d5b8d09acffd4c055538f3d350beefbf8de5bef341ef974e81d5403165acf1ff02b43859fcb10088977dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fu3i2lq6.pdb

Filesize
7KB

MD5
63284507b85f3443339f96a2b545c88a

SHA1
47443fc9b4c63f05a6e07a44fa8a8d5434457b4c

SHA256
32f93826c404983b77d35aa779229057b30bf77218c35cf12c31ba6b92f829b0

SHA512
c8900c4b306bb10c50fd2a5cd37d4d60767201ee67a42a7f44c3d5af7df293fc888669932a022208b62f5e1810dcfe1e64e4541573cbf3b8a1f7933c1124fd8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF622.tmp

Filesize
652B

MD5
29a694d6184d7fc1b78d9d175041224b

SHA1
31a9e69c0c688803b67421cc457ada60d2ab9cf7

SHA256
1b7bdc3a01a3fff3f1d870f4b263136524e17e79c227c7210496f1974c88cfbd

SHA512
c1f5e086e1a06e3b164b527df5a32f6efd54b533a3d66408db3518f819d4b475afe35609030d83ca7a4bc1136eb859074559e433690c6cfe2036092244444d49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fu3i2lq6.0.cs

Filesize
169B

MD5
2f010725190c2a4aed6464a6b07caa28

SHA1
8cdb73dbbfbf61bd612ec83d190a47340591ffe0

SHA256
b366f7a0857ef5ea51c30d49e93c0a75fc0138d57adc1663ac9ef06f0220af26

SHA512
4015fa2e09b48c107de80a91ff1812761994b5505d9c5f17efb4c12f5799f15b350a513d5427ba1dbe9de6105721a301b8c87d52f3d9eafad90dd0d1768fdedd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fu3i2lq6.cmdline

Filesize
309B

MD5
d30493102aee0e508810daf04029042d

SHA1
fef1780ab0ce2b160fb3a9b826beedad2c0c91dd

SHA256
0662303429e1fb3779b846e50c98b3da300c9605009cd006f686dac5665fa4f2

SHA512
5b445ab441268317defda25d4059dfe736d8074b2bbe8016d53665d0b2ee0b5d8cc54e2e91e9a7736c40d6b71f790a9424fd45f8347ff848cd2998a091fecbfc

Download Submit
memory/2616-8-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-13-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-14-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-9-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-4-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

Filesize
4KB

Download
memory/2616-27-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

Filesize
32KB

Download
memory/2616-6-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2616-7-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2616-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2616-32-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-17-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-25-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing