8bc12fbce8d8c38f2d2fa799632e8179c6d5c11e62c51ef2eeb8b110ea51b058

General

Target

8bc12fbce8d8c38f2d2fa799632e8179c6d5c11e62c51ef2eeb8b110ea51b058N.ps1
Size

1.0MB
MD5

a6f20cc1e31ef031cc147748cc261f60
SHA1

3d222a767a7e414f3d35e125ee54376022bb90b5
SHA256

8bc12fbce8d8c38f2d2fa799632e8179c6d5c11e62c51ef2eeb8b110ea51b058
SHA512

6afc5418c7988af46ba4c11dbfb9294295a943142ac88818d051cbfa5c52e587b45e5154db7050edb0f279826f28080e6aa5c5f1513dfc1c1ca5b0387272ce63
SSDEEP

24576:5BMOYxXe1b18rvqj+J2C4jR5x4+2KmlxdbEBb:5W/GiQC+2F3c

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	3304	powershell.exe
27	3304	powershell.exe
29	3304	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3304	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3304	powershell.exe
3304	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 3204	3304	powershell.exe	90
PID 3304 wrote to memory of 3204	3304	powershell.exe	90
PID 3204 wrote to memory of 4672	3204	csc.exe	91
PID 3204 wrote to memory of 4672	3204	csc.exe	91

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8bc12fbce8d8c38f2d2fa799632e8179c6d5c11e62c51ef2eeb8b110ea51b058N.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsr0rekk\gsr0rekk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE501.tmp" "c:\Users\Admin\AppData\Local\Temp\gsr0rekk\CSC234440E44C024F568C2EB4DE87BB5042.TMP"
    3⤵
    PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE501.tmp

Filesize
1KB

MD5
09ec6fd6f0e87a7dc19783bf717ace1f

SHA1
93272e8171a3ee5f1c0039d037d11541a77b21ad

SHA256
d306b5a73da96c60949224e7f536e1ca3a25d478a041a7174ba6ab936c313411

SHA512
15e29752193399f1a5dedbaed7bdd44d9c99c56074f38ba2d09214b92022f6177871dca8287d788e8edb11d826b26ef2aaaddf5c0411308ac6b6fdd024880d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmqhdxjp.5cs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsr0rekk\gsr0rekk.dll

Filesize
4KB

MD5
76f86dad7944b24abf5dee8b75b91d11

SHA1
90ea89fb399a6d004445f24f3b6cc4f22c8e98f5

SHA256
66b931187fbf532b265e39d72d9b73b4771f17c04071fccbfde3057001f4606d

SHA512
c517043ecf481335ccd145867245eb5d59cff32b90fcb8c4d95b07f44a8ed73d86c2d7e06a2f9d706fdd0b9a65fa86f5b7de879039dc516f5556160fe6d37a83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gsr0rekk\CSC234440E44C024F568C2EB4DE87BB5042.TMP

Filesize
652B

MD5
f35de05650140cd13c4b4e78173d11b8

SHA1
afee8857003c54646fa62ffd23cc0a74e7cec0c4

SHA256
6672bb75457a2f88b34b5953f4e591b63c73efa6c9c254bd7ba425584e6d1bdf

SHA512
81267984eeacfb91c790d65a6c826a7488230d81c9a1236873989eb22288ae0d7e88503e19b7ecbced23bce493c89f2bc2385d7527775dddbe5f6915f50a7693

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gsr0rekk\gsr0rekk.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gsr0rekk\gsr0rekk.cmdline

Filesize
369B

MD5
095bfbf3ea467bcb4edc9c1aa4b81f2a

SHA1
b16f6caf10b6197a0480797c46226c9280ebee54

SHA256
6254b2c69458a0c9fe081cd667c8bbb3d72797978b6e5076c1fc6b52b6827a09

SHA512
76493be22f433437672d1fb5cd15eaaad8eb204223620fa5bcdbf32582558b6bb1fbf55ed5a3fb47053c75694004f37490396920950d79c65449974a0b6de81e

Download Submit
memory/3304-16-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/3304-15-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/3304-0-0x00007FFF544B3000-0x00007FFF544B5000-memory.dmp

Filesize
8KB

Download
memory/3304-14-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/3304-13-0x00007FFF544B3000-0x00007FFF544B5000-memory.dmp

Filesize
8KB

Download
memory/3304-12-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/3304-29-0x000001F93A9E0000-0x000001F93A9E8000-memory.dmp

Filesize
32KB

Download
memory/3304-11-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/3304-2-0x000001F952EE0000-0x000001F952F02000-memory.dmp

Filesize
136KB

Download
memory/3304-31-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/3304-32-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download
memory/3304-35-0x00007FFF544B0000-0x00007FFF54F71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing