d006ed068aa21cbe7e34f6a2431da12e069529a53908cb965c0798c9fd9a98de

General

Target

ps1008.ps1
Size

848KB
MD5

54e842d329c2946cc0cf528af06f1a86
SHA1

4d0478ebcbcbb2f50964e64d3f1c748902434f93
SHA256

d006ed068aa21cbe7e34f6a2431da12e069529a53908cb965c0798c9fd9a98de
SHA512

7922586903b6a26d026c49d71c2e113928d8a9393ec100d7d232d8cec171f5c97cdc4303e75eec38b4c6005e765adeb18c7f9b3d58153c47e5a3cf7a7abd534f
SSDEEP

12288:8i6UD4ZwdWZ097bfm46LAC3pbFsh86rbckFv1ljUdNWqE63ZVHNta2vjpZx1MF5m:jMe7bPMS5bcGvjjsNY6LHLjpdo9rY31

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
9	4720	powershell.exe
17	4720	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
4720	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
4720	powershell.exe
4720	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	4720	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	Process	procid_target
PID 4720 wrote to memory of 3592	4720	powershell.exe	83
PID 4720 wrote to memory of 3592	4720	powershell.exe	83
PID 3592 wrote to memory of 3380	3592	csc.exe	84
PID 3592 wrote to memory of 3380	3592	csc.exe	84

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1008.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tzj4ihnp\tzj4ihnp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC515.tmp" "c:\Users\Admin\AppData\Local\Temp\tzj4ihnp\CSCA72EF7F7EDC4438DB069EFF3D950331.TMP"
    3⤵
    PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC515.tmp

Filesize
1KB

MD5
f93303824f640ccc13dbdf059ccac3ff

SHA1
536a1bdbf61d1ad6b368a00776b3dac5f9c88953

SHA256
e6b02cb0aa8eacb5ec78fdc346b79ad3a15122f6a78630c033e0d6b8ec080527

SHA512
03b8d72764829b0b3e8f7a5dd78dc6648e34d84cc40e571ed42989e95913157cd7af586667798708c5723bfb7f2eb28b65584ad18a20d2924d8bdaee58afbd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ubh13b2.uql.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzj4ihnp\tzj4ihnp.dll

Filesize
4KB

MD5
d77aaabe5713dcd50f932559b93f88e6

SHA1
a4b53baecb5bba76a17e95a9a00baf23791c9e50

SHA256
7d6b4a3d44d547634298091a1e1f3e608e2682ce801d49492214281bb4623dc1

SHA512
a98da72735ad344df58be031b79ff037275f1ee86798672ba4f0e14fdd1a6cddaf634b8494d1ebd388c701ec84ccac526ff5e8b47589710b1c525300c0abce23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tzj4ihnp\CSCA72EF7F7EDC4438DB069EFF3D950331.TMP

Filesize
652B

MD5
da34f59338ca2f03e0e7f63003ab1a41

SHA1
19ab03ccc61580dd929f9e4d0adb32caf2c9e330

SHA256
43805626693f773c4b1f7fbe64df43248abc4c74d87cbeafef5ff6a53b7e260a

SHA512
eb8af1a4aa374ac07aa21e66b77da9781d1071a6e704f92b7a6ff12ae042ef552385e2eb59b81521221b7635cc01206b82077a8e3b63361d6d13a00554f25d58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tzj4ihnp\tzj4ihnp.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tzj4ihnp\tzj4ihnp.cmdline

Filesize
369B

MD5
06a1d4b8e3aef2918e33b56a2ae1bf5d

SHA1
837f48c786e6d10c1e648f48168398ec57f50489

SHA256
87d32c0d4526e70ce5cf3c3dec5190a0c132984545b9c951a529a625ecf01935

SHA512
9e6001853cc72ce365ddcad7c37a0afa00c0a49864cd8434d74d7cae320164b54c42ab75cfa26975eba27feec17cea3f10b43e982828c8e1b2bd9b7da26fd771

Download Submit
memory/4720-12-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-14-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-13-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-0-0x00007FFFD20B3000-0x00007FFFD20B5000-memory.dmp

Filesize
8KB

Download
memory/4720-11-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-1-0x0000015FFF630000-0x0000015FFF652000-memory.dmp

Filesize
136KB

Download
memory/4720-27-0x0000015F99E40000-0x0000015F99E48000-memory.dmp

Filesize
32KB

Download
memory/4720-29-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-30-0x00007FFFD20B3000-0x00007FFFD20B5000-memory.dmp

Filesize
8KB

Download
memory/4720-31-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-32-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-33-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download
memory/4720-36-0x00007FFFD20B0000-0x00007FFFD2B71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads