897f7ff8eb2f049f340deb3891622bbe656d6d59ec03dc6aebd92bb0c20cf312

General

Target

ps1005.ps1
Size

754KB
MD5

a2c4cc351ca68d5557993baefa5f004c
SHA1

4f340f6e249581d5819e9e91da3d15e920920f4d
SHA256

897f7ff8eb2f049f340deb3891622bbe656d6d59ec03dc6aebd92bb0c20cf312
SHA512

1e2195e002ebed21cf0260961ac8707bd46c062e112cc6a853305416a80fd12ef1b1fec6a3f6fde15289350fabb7cd8e74e633091a075f5f168b0c9b3e51a2d5
SSDEEP

12288:8ppYXT60Mv5a8kebcetZ3Aq74GA19Td1JplTmu5jP+D/43EeI1gZEtd14Q2fewYp:fXWZ5Pbcq92zjP+sjI10+r4Q2sp

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
8	1832	powershell.exe
17	1832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1832	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
1832	powershell.exe
1832	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	1832	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

powershell.execsc.exe

description	pid	Process	procid_target
PID 1832 wrote to memory of 3060	1832	powershell.exe	84
PID 1832 wrote to memory of 3060	1832	powershell.exe	84
PID 3060 wrote to memory of 4124	3060	csc.exe	85
PID 3060 wrote to memory of 4124	3060	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1005.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\md515cqf\md515cqf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES826E.tmp" "c:\Users\Admin\AppData\Local\Temp\md515cqf\CSC48F46D3DDD834C04A72182AE42174021.TMP"
    3⤵
    PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES826E.tmp

Filesize
1KB

MD5
54cc6baa898c846fd2a78f8265772789

SHA1
2eac6271e351168b87fa4240a871577173c20036

SHA256
758da11e3be9d4b2516213a465d9dd1b5b1f5460bf7b03897dcb2d8b19811d76

SHA512
47226acc6e5cf904f738acca2ea4a19eed6088f232bda0b755190e24e5059e079c3f73674296f5f4812d449c36ef6de48b0fb092b71429dc4db8a055bd661a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vb0hl0on.wko.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\md515cqf\md515cqf.dll

Filesize
4KB

MD5
84150b648e3171a0028d411c706987a7

SHA1
331d63c51aba558d688ab119ad9e6482ed4c29bb

SHA256
d8e6959452954fc49fc353fb17fb97b7d7c3030b28045b1a7c753eeff8509939

SHA512
f881f0f0f64979f209374245660f03582cba1d2a6788a10ab7ac35b6ed114364daf105ab452b4be0aca789f1c9373f2f10668df37619643a0ed9724e25ea6da0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md515cqf\CSC48F46D3DDD834C04A72182AE42174021.TMP

Filesize
652B

MD5
6492abe4d981c46a9d4faedac57eac8d

SHA1
d4f8a25b6cb8ffc7ad63fa81672ae14c056f26a1

SHA256
716b48c2d15f7d9167dd2f8fc94c89c4c73126ab95dbdf89575feb324e7f59b1

SHA512
de9230353a23f07b3c573354c305378af91803a8fc02b4bd0edd70e0294306ed80e14c04735d5aa42b81823ff9d83d43ec3ff51df234ee6c824991979d01dc11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md515cqf\md515cqf.0.cs

Filesize
1KB

MD5
5989018a4c0ad9cc8bc4cc1e5524186c

SHA1
ec9217244192c5ec96b4ac67982ac05983036569

SHA256
f2c563322c4d6a4c8b00946b48e3a59b45d8ec5991d977acd4514960f8fab4e5

SHA512
2550fb415b2022e3e3d14be551310c7c6821d8b1af7854253d8701f5376d720e1f661c0177f24b0f3bfedf90469064c107d72b1dcac6efa355c24dc6aa786975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\md515cqf\md515cqf.cmdline

Filesize
369B

MD5
34de3fbe1d15b2dbb6bfd0b87f37a295

SHA1
6c228976a614ee5839b2cf8a7e5966f10cd59311

SHA256
18db0ad7ad477b79d546c3e8a6c6d87d93407bde0295465bd05a6ecbf909e65d

SHA512
92738fbaf1451d93d53cd2f92b43b7551d3805b01d7d65809e35a27ed954eaa2ca11f23259a815476d0b5242198a5a9d175dbe9de6cc16f7fb48d1c0b19fc423

Download Submit
memory/1832-27-0x00000204799B0000-0x00000204799B8000-memory.dmp

Filesize
32KB

Download
memory/1832-14-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download
memory/1832-0-0x00007FFDD2E43000-0x00007FFDD2E45000-memory.dmp

Filesize
8KB

Download
memory/1832-12-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download
memory/1832-11-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download
memory/1832-13-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download
memory/1832-1-0x0000020479940000-0x0000020479962000-memory.dmp

Filesize
136KB

Download
memory/1832-29-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download
memory/1832-30-0x00007FFDD2E43000-0x00007FFDD2E45000-memory.dmp

Filesize
8KB

Download
memory/1832-31-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download
memory/1832-32-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download
memory/1832-33-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download
memory/1832-36-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads