897f7ff8eb2f049f340deb3891622bbe656d6d59ec03dc6aebd92bb0c20cf312

General

Target

ps1005.ps1
Size

754KB
MD5

a2c4cc351ca68d5557993baefa5f004c
SHA1

4f340f6e249581d5819e9e91da3d15e920920f4d
SHA256

897f7ff8eb2f049f340deb3891622bbe656d6d59ec03dc6aebd92bb0c20cf312
SHA512

1e2195e002ebed21cf0260961ac8707bd46c062e112cc6a853305416a80fd12ef1b1fec6a3f6fde15289350fabb7cd8e74e633091a075f5f168b0c9b3e51a2d5
SSDEEP

12288:8ppYXT60Mv5a8kebcetZ3Aq74GA19Td1JplTmu5jP+D/43EeI1gZEtd14Q2fewYp:fXWZ5Pbcq92zjP+sjI10+r4Q2sp

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
7	2820	powershell.exe
9	2820	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2820	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.execsc.exe

description	pid	Process	procid_target
PID 2820 wrote to memory of 1568	2820	powershell.exe	32
PID 2820 wrote to memory of 1568	2820	powershell.exe	32
PID 2820 wrote to memory of 1568	2820	powershell.exe	32
PID 1568 wrote to memory of 2892	1568	csc.exe	33
PID 1568 wrote to memory of 2892	1568	csc.exe	33
PID 1568 wrote to memory of 2892	1568	csc.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1005.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jostfkyc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE63.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE62.tmp"
    3⤵
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE63.tmp

Filesize
1KB

MD5
b26f71c8065f66d6433c006dd35a1486

SHA1
eb53155ff44f11f8d241a5676116cbf879acf6ec

SHA256
7581671ef1c32f02ccc46331a6f923c9605aef7bc2fbabd4233f602b65a88b80

SHA512
d869eaa0529b8623688be3c080ad1f7687061157c89798d5143095e32c01c22da89d011aabf3d538117fd5a2649c6fccb8f71e5a6cf62ac62644853a2fc4b6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jostfkyc.dll

Filesize
4KB

MD5
715aae44073f30f36eae68595edbb946

SHA1
dd524630774fc8c6502cc9d5ac262669e57dec8b

SHA256
810a60e9e2fb20dafde558bc935097402bbe96681766dcef13285c2ee76abf0b

SHA512
09b77f0fe15cebdd120b997d294eb2dbe1c437060c25d1d8f75e3c54ed0e277734e7ada8b2426c5e875a3ae8e94edfacb1add59afa958e1a97d63fe5e8537cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jostfkyc.pdb

Filesize
7KB

MD5
ddb00e47007353a6b83519d560b5a11c

SHA1
de2ccaccc908ce3914b1d8f624d3dc9a170b1009

SHA256
a5402bd67cfed14ba1d8d9a6fbfb3d64c0f059ca88b8d5781c94ea45aa4a3c8f

SHA512
1989ab2d087c7a2375c113eeeef17b8f367226a643e9f5792e74ce9354f54176dac4bf2a79498c518a183b91bb579386846736f192422aea2a53b459f67aad20

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE62.tmp

Filesize
652B

MD5
f30f9d4ec3e9fe395a36294cf8071eac

SHA1
e3bcf0d572b7c5c573f6a4a5f2996d0726b79b33

SHA256
58dac388445ba62f92b0a70ce65804d8294bacd18c7e5de9b6aa25c77665ff5b

SHA512
8a59df5a2692a8ec782009486fd3b96c072b6fd94b45e10c77ebcb2fe79e44cab0f47d58c3226d36d3571df975783efd43a41b2b6f7f1c7aa3343487c9f7c9d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jostfkyc.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jostfkyc.cmdline

Filesize
309B

MD5
6fb688a8fdab2b97aa42f0e72b59212e

SHA1
2602f713352b8f7998a6f18bb675a2119b33ffd5

SHA256
b31fb46bced3c1f4435accf8c7072c09d88126804ac7a87cadcc950bba271544

SHA512
9d102ee4faeeb6f0e469ea6f725c7dfe8b0b393461ba91a1561f9fec294acfde4d3a71f6417e854a38cf4f27ee3342b71fb9a55a0e64bb67a2feab1913356966

Download Submit
memory/1568-32-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/1568-24-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-11-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-15-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-14-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

Filesize
4KB

Download
memory/2820-16-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-17-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-13-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-12-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

Filesize
4KB

Download
memory/2820-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-7-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-34-0x0000000002A20000-0x0000000002A28000-memory.dmp

Filesize
32KB

Download
memory/2820-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2820-37-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads