3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hidden_Undected_CMSTP-Reflection.ps1
Size

13KB
MD5

39d26ba464405a52eec059c38fde3742
SHA1

b8e15337cbdfe46d6c712bf45a381b5a97d30db1
SHA256

5812fe6944f400d00f4ab4b4189779c3caddc419c3346842e30c07d238f4d186
SHA512

7fb159fbedc68cd0a353534b30cca7f0f6a95f327c69d2a4cc1b7d4c4b591ea893451b18f188d5739873a64c64bd314546a20bb272d76931cee1937a6104e337
SSDEEP

384:lc2055WPIbP1ermV2qvkXLuwYiou2tc428QuB:lc2eWgP1UIEuwhom4tQW

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4564 powershell.exe
4996 powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3256 taskkill.exe

pid	process
3256	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe

pid	process
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4564 powershell.exe
Token: SeDebugPrivilege 4996 powershell.exe
Token: SeDebugPrivilege 3256 taskkill.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

powershell.exe

pid process

4564 powershell.exe
4564 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	3256	taskkill.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 4564 wrote to memory of 4792	4564	powershell.exe	cmstp.exe
PID 4564 wrote to memory of 4792	4564	powershell.exe	cmstp.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Hidden_Undected_CMSTP-Reflection.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\windows\temp\dd5zlj1e.inf
2⤵
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass C:\Users\Admin\Music\la0bvbcx.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
4b6a25c71368c32af07089d65cb075f5

SHA1
489f98f82b860b96b375af8b236d2a390c6e2fd4

SHA256
8d0896f043e62ea4952833cb20d23fc5f39f2a004bada23c71fc41af8b37a6e2

SHA512
24f6478e8bc175d10bd849356a35b421daf718839c344ce1a14ac0324d4c90162df618f690de61d992a92fc4c9b8cf8bb46eddb8560da5a126ad0904456ef4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d1969fa5f066db3e8ea5693cc9a1718

SHA1
3f630883efe81b6f1d3cf1fec526237fe4202334

SHA256
0069835519f12f37ead8f308e96d8c90ea09e081a94a941c1f8921fe6e1834ce

SHA512
4f74412265a1b11826f18e58bfc6b59c006914dd2acb74045dffca775cb1fb620605233f5c5fc7b03fe50433e99dba4e4bd1b4afc012cfc8f0214d1dedcfb88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxemio0f.xej.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Music\la0bvbcx.ps1

Filesize
44B

MD5
bac6401de6dde08d74975b36142db4c4

SHA1
afff11fb0f67ca72196f87950d031ccb3ea8d1bd

SHA256
a969390600da053cca1c6a79cfcca555ac38c0af847e7a20c2ee2b24e02a9913

SHA512
2caed8e12850571cad5771d666fb58f95d6885da5fb2f5eaa151855cbabe8c031ba32f7a2edeee078c23214e9b4bd6fc87b36c2237ee6c282cf62b64f899cc9f

Download Submit
C:\windows\temp\dd5zlj1e.inf

Filesize
656B

MD5
48a010a93ed81a7ace901862f9d8980f

SHA1
6aa9f24b072c83cc4e44e753dad5e51574348dfd

SHA256
8cd6f50d49b4f3e5019de0b6c5467701469cbfd39056e2e1b69ad9d463c57dca

SHA512
6bcf27ef6e901ecac38344309fe0430caea70e1bdf194f48adf6850a0a7a0d9c54e6944d163ab7c2537493f6873912d33d81718331e29856c986566eec672c50

Download Submit
memory/4564-11-0x00007FFEE8140000-0x00007FFEE8C01000-memory.dmp

Filesize
10.8MB

Download
memory/4564-13-0x00007FFEE8140000-0x00007FFEE8C01000-memory.dmp

Filesize
10.8MB

Download
memory/4564-17-0x00007FFEE8140000-0x00007FFEE8C01000-memory.dmp

Filesize
10.8MB

Download
memory/4564-18-0x00007FFEE8140000-0x00007FFEE8C01000-memory.dmp

Filesize
10.8MB

Download
memory/4564-21-0x00007FFEE8140000-0x00007FFEE8C01000-memory.dmp

Filesize
10.8MB

Download
memory/4564-12-0x0000024AA2770000-0x0000024AA2778000-memory.dmp

Filesize
32KB

Download
memory/4564-0-0x00007FFEE8143000-0x00007FFEE8145000-memory.dmp

Filesize
8KB

Download
memory/4564-10-0x0000024AA2920000-0x0000024AA2942000-memory.dmp

Filesize
136KB

Download