897f7ff8eb2f049f340deb3891622bbe656d6d59ec03dc6aebd92bb0c20cf312

General

Target

ps1005.ps1
Size

754KB
MD5

a2c4cc351ca68d5557993baefa5f004c
SHA1

4f340f6e249581d5819e9e91da3d15e920920f4d
SHA256

897f7ff8eb2f049f340deb3891622bbe656d6d59ec03dc6aebd92bb0c20cf312
SHA512

1e2195e002ebed21cf0260961ac8707bd46c062e112cc6a853305416a80fd12ef1b1fec6a3f6fde15289350fabb7cd8e74e633091a075f5f168b0c9b3e51a2d5
SSDEEP

12288:8ppYXT60Mv5a8kebcetZ3Aq74GA19Td1JplTmu5jP+D/43EeI1gZEtd14Q2fewYp:fXWZ5Pbcq92zjP+sjI10+r4Q2sp

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow	pid	Process
7	532	powershell.exe
9	532	powershell.exe
11	532	powershell.exe
12	532	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
532	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
532	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	532	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

powershell.execsc.exe

description	pid	Process	procid_target
PID 532 wrote to memory of 2820	532	powershell.exe	32
PID 532 wrote to memory of 2820	532	powershell.exe	32
PID 532 wrote to memory of 2820	532	powershell.exe	32
PID 2820 wrote to memory of 2756	2820	csc.exe	33
PID 2820 wrote to memory of 2756	2820	csc.exe	33
PID 2820 wrote to memory of 2756	2820	csc.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1005.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hyer1739.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB848.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB847.tmp"
    3⤵
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB848.tmp

Filesize
1KB

MD5
4236b43f84a00ffac4b76284310e04fa

SHA1
dfb54677a0ee7c2fdfa42e9ef201b496cf8f31a5

SHA256
cdf3eedf2054622a0e340a8dbfeec781e11ba7350b7981ffa5e56cfea799b784

SHA512
b438709726dae23569f8b44eab9e9b6afde7e577370847de5b83622bad22607d5b5cc4393124025097b04d6c0a4c57ae56222a666995fee95180a2848de3ea68

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyer1739.dll

Filesize
4KB

MD5
14bf51d5b89ec06a6e2c6e2ff5a7bb7d

SHA1
0a104a2abb52286774f130bd1660f27344e56d48

SHA256
a706720fcf8a59ba84c1f8434b571a7b6100abe7a9f927bcfbdd2392ce52e359

SHA512
940dfab2701a0b2a7b183b844e46dd52ef6c49afe0ff3d72670e994a26ca5bd4d3deb6a438bedac1f17272f1691bb1d73b7eb6e00a27e6043903a065ee5a36c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyer1739.pdb

Filesize
7KB

MD5
827381186a61ef5fd08b7ed96aa8768b

SHA1
825e886d66b4d1492902f73e0389d7fc47912606

SHA256
c203aba368c765a4c73ffdab3ca26a29fa614ffb94170cc4fc29e70a01204d92

SHA512
c23abaddaf7943d81791fd89a8e913c9af6af883cfe6ff2d8f8aad09923bd6c02b47eb11ef4218438b95c6fcb8b3d4b8133560c563fa0989defcceef0a32c997

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB847.tmp

Filesize
652B

MD5
7521b2d1c613c6f2eeff77628fcc55a6

SHA1
b2a75a1de63a8ba39fe4ce96aaaccfaaa1634da3

SHA256
31bdbcb6e33cde41bcfde7fdc56a3bf83c8f887376518ccd46f17472e960eec5

SHA512
c40967848cbb48a5ee4e785f790ef5c27d53797ec1da3d5cea66818777b41f213421eebabc255a3120b8603e807f66b1f4d04d982a774de63fe0120c8d6f605b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hyer1739.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hyer1739.cmdline

Filesize
309B

MD5
c13ff9d5c973bea8f6b85e91b93b977a

SHA1
6d974dc05643b6ae99430888f1360c39217e5bb0

SHA256
c70b77a9a7bf4f40afa8dd489ffac55f76d238610ca7076bf935d17f8ee7cd56

SHA512
5b6ac55a965f1e1691c6d23f6ff0cd0dc92ed6add7414b6336819e14e8731547c99fb299d4d3f06cc1b646096f07735894adab98fbb0b54732851fedc31b42a6

Download Submit
memory/532-6-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/532-4-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

Filesize
4KB

Download
memory/532-12-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

Filesize
4KB

Download
memory/532-13-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/532-14-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/532-15-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/532-10-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/532-11-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/532-5-0x000000001B870000-0x000000001BB52000-memory.dmp

Filesize
2.9MB

Download
memory/532-7-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/532-8-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/532-32-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/532-9-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-30-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-22-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads