100a4c16630356774d7ebee6681d40279fcb4ceabccf194d371af739ca98ce53

General

Target

ps1001.ps1
Size

785KB
MD5

5996b2aa1d6b234a48ed62f1ecaae159
SHA1

4f6e56e34d7da66cb1f9b9ebc707f7fd01764352
SHA256

100a4c16630356774d7ebee6681d40279fcb4ceabccf194d371af739ca98ce53
SHA512

6d74c8bd7f52fedf55068a58cca93ce30582517a40d556b07c3f3ec3d5f17283b2cc7852601331bd77d1a3fd8f09b2f3cc6ebd7a2c6fa8a34cee45363eb80d0f
SSDEEP

12288:8ppYXT60Mv5a8kebcetZ3Aq74GA19Td1JplTmu5jP+D/43EeI1gZEtd14Q2f3Nug:fXWZ5Pbcq92zjP+sjI10+r4Q21ug

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
11	4836	powershell.exe
17	4836	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
4836	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
4836	powershell.exe
4836	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	4836	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	Process	procid_target
PID 4836 wrote to memory of 3228	4836	powershell.exe	84
PID 4836 wrote to memory of 3228	4836	powershell.exe	84
PID 3228 wrote to memory of 3172	3228	csc.exe	85
PID 3228 wrote to memory of 3172	3228	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1001.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xsh1doht\xsh1doht.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES833A.tmp" "c:\Users\Admin\AppData\Local\Temp\xsh1doht\CSC9AC4822B76BF437D86F28419A85712D8.TMP"
    3⤵
    PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES833A.tmp

Filesize
1KB

MD5
cb56a30a0a8914d80f062d2b0b665c9b

SHA1
4dfbc8016f832de5ff9096d693f476de33ba1874

SHA256
dce66c14601ea1972626324db4b6c9dc760d0bf943f37c37247e75a22c6ba382

SHA512
56dddb6486c2813b1b3d4276edd5d8478289e11859f57bf833982ad9900528e0348c2f0d0036ef01ac56a9052e01804d64abaa799bf2b95759f5c3a33dee5c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uoyznsnj.oe1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsh1doht\xsh1doht.dll

Filesize
4KB

MD5
4fd45606821769bbf06fe8537eb54e1c

SHA1
a85be399f3908395b0e915ec3f509e3aa2a06047

SHA256
f47c6ab3387b65db25d92ef533cfdd575853bb184d492d7e9bfee9edf9eda2b2

SHA512
861a5e5f3dea4c92c76eb6e044c410177394fe0b08d8f84da144561c8597c13fa472a9d2d886a8778982f7d9bd0a37ccb39d8949e0b21285b0ae6d8bb55de01e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xsh1doht\CSC9AC4822B76BF437D86F28419A85712D8.TMP

Filesize
652B

MD5
2d2aa6baad473340ebdf3cdd37bf3b18

SHA1
90cafeaa61704452607bac66ae78ccfba2325eef

SHA256
69b302648ae7446af09b2349f4264988ed69865ce9b140ff6f825864f0c6285b

SHA512
d58a3f3dc50c0dd08619abf50655d1344115767bb4939cbbf949f4aa90b36c022db59fdebf0e87d0cb60af146c46cef37e2f67ad4430997a0364e6670553a2f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xsh1doht\xsh1doht.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xsh1doht\xsh1doht.cmdline

Filesize
369B

MD5
588f4d159e469996c6668d0090d98494

SHA1
bd5fc2289c92f2419980f7a7ad8f0f66376b718b

SHA256
83603ddcf38ef051f3a5eccc5430555db38314f3f1e2a4a0dc01489e7fcb5611

SHA512
3c38a88bd09f08794b205904c2ef96f71d97af3c49133bd74fa068169075ae57351552b9afa3bb9a26ef18fb630061a5363b48c152556fcdfaa8278a7a46890b

Download Submit
memory/4836-27-0x000001ABBFC30000-0x000001ABBFC38000-memory.dmp

Filesize
32KB

Download
memory/4836-14-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-0-0x00007FFED1093000-0x00007FFED1095000-memory.dmp

Filesize
8KB

Download
memory/4836-12-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-7-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-13-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-1-0x000001ABC00F0000-0x000001ABC0112000-memory.dmp

Filesize
136KB

Download
memory/4836-29-0x00007FFED1093000-0x00007FFED1095000-memory.dmp

Filesize
8KB

Download
memory/4836-30-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-31-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-32-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-33-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4836-36-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads