48b4268c01c091b177661fce94033b95db62ece0a795cefb50781782804a3998

General

Target

ps1002.ps1
Size

798KB
MD5

c2de8908bd27de43e802ab31bd502e75
SHA1

469571354842d62112c033dffcb8fd15f214a82f
SHA256

48b4268c01c091b177661fce94033b95db62ece0a795cefb50781782804a3998
SHA512

cea91a3510dadc10a7946fba5c6bb39bdd08d9d1342d2ff8db951492284d60917881b7be1fdd2bb816a562fb04537334807191bce5847af35c20400056524b5a
SSDEEP

12288:8ppYXT60Mv5a8kebcetZ3Aq74GA19Td1JplTmu5jP+D/43EeI1gZEtd14Q2f9Wlu:fXWZ5Pbcq92zjP+sjI10+r4Q2QJoxZ

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
9	4760	powershell.exe
19	4760	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
4760	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
4760	powershell.exe
4760	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	4760	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	Process	procid_target
PID 4760 wrote to memory of 4004	4760	powershell.exe	84
PID 4760 wrote to memory of 4004	4760	powershell.exe	84
PID 4004 wrote to memory of 3924	4004	csc.exe	85
PID 4004 wrote to memory of 3924	4004	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1002.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ka52pwzf\ka52pwzf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB805.tmp" "c:\Users\Admin\AppData\Local\Temp\ka52pwzf\CSCAFAE759AAFB94972B8B0E3766457C50.TMP"
    3⤵
    PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB805.tmp

Filesize
1KB

MD5
029710ac9e97c313a6795558e6a92da6

SHA1
78004e1ad4fa5654f42c6d14676fd2c5766b0788

SHA256
dbfb36a20c2120789a73bf5a8977d372eca969488b883dd33de53d2a1ab277b3

SHA512
742fb1f320d334a0fbb5bf0e9e5773d2daf1b9551813488d0ad8818a9c6d67b88e47b592628cb75ec94188b9deebb7bd01e3c408fcc7dc8e1147a9882e364b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukhakbor.3yr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ka52pwzf\ka52pwzf.dll

Filesize
4KB

MD5
6733d11997e5c42d663650383a099f2f

SHA1
263a871483a8dcca90e9dab0cb21e87ac395836a

SHA256
113ad39f90144fd7f065dd12c91631b30fecaaf38388a6106c0df9a6290034ce

SHA512
0bd3aa920139d16b104ce5093f3bf7bbaf517f287dc8e2b5a46b36ebaf7afd99b89966175ebda37abaa86dcac032c40f2d61bec3b6a77c4453250765a8cd994e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ka52pwzf\CSCAFAE759AAFB94972B8B0E3766457C50.TMP

Filesize
652B

MD5
ced7244d364824731e7670f4b18e5ad7

SHA1
b4cafec1da313865dd3a5af57133258d3669bb1b

SHA256
b1e07463fcb35c957dddc0249fdd625c53b8c4b313d756aae5e1a4e5f26cdec0

SHA512
e7d33e425633286fde57285fcfe9be5cda2d9fc1799db9b87082b74673c6e47d4ff256b068a7323b4d346e05b6b4177a014e80ab01e443045df6bbbce2cb42c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ka52pwzf\ka52pwzf.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ka52pwzf\ka52pwzf.cmdline

Filesize
369B

MD5
cbcf367d533057967e61726c78d77c96

SHA1
1d96d57f0e4cdc6730506b93bdcd851a173d766e

SHA256
6cbe83a39de50aec2c0bca30c8cfd66aa873d832bdb03076cc2a9fb9629b0117

SHA512
8f9e840a1109451065815da60466bf35048492ba670a091ef99b4c0afdbe1426de1aee86d9dad4d16877e1d6dbafe03473711334a4ba92928b32908f9857b838

Download Submit
memory/4760-27-0x000001547BB40000-0x000001547BB48000-memory.dmp

Filesize
32KB

Download
memory/4760-14-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-0-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp

Filesize
8KB

Download
memory/4760-12-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-11-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-13-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-1-0x000001547BB50000-0x000001547BB72000-memory.dmp

Filesize
136KB

Download
memory/4760-29-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp

Filesize
8KB

Download
memory/4760-30-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-31-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-32-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-33-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-36-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads