c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92 | Triage

Sharing

General

Target

c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92.ps1
Size

4KB
Sample

241127-dhsndatmgx
MD5

3f5f652952ced2761ef056b5a11b8896
SHA1

186bf77a973d93fde13aeb7beeebded71188bd91
SHA256

c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92
SHA512

46ec872ff49ce3fd8ef25de88c616ce0dc6025b8c1b43a43f0a8c9a4e45974de234efee2a9406162589bbeed93ad26d5fe432ae5deecaddd5f9a5e1d3516982e
SSDEEP

96:VerCwM6AqiyYT4PVvp8VcxCOTjb1ZU2WuKaMYAbGwIEKER:VeWdBqiyYqRRJTw2HKaLAztPR

Score

10^/10

defense_evasion discovery execution lateral_movement

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://154.90.

Targets

- Target
  
  c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92.ps1
- Size
  
  4KB
- MD5
  
  3f5f652952ced2761ef056b5a11b8896
- SHA1
  
  186bf77a973d93fde13aeb7beeebded71188bd91
- SHA256
  
  c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92
- SHA512
  
  46ec872ff49ce3fd8ef25de88c616ce0dc6025b8c1b43a43f0a8c9a4e45974de234efee2a9406162589bbeed93ad26d5fe432ae5deecaddd5f9a5e1d3516982e
- SSDEEP
  
  96:VerCwM6AqiyYT4PVvp8VcxCOTjb1ZU2WuKaMYAbGwIEKER:VeWdBqiyYqRRJTw2HKaLAztPR
Score

9^/10

defense_evasion discovery execution lateral_movement
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Drops startup file
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Users
  defense_evasion
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Account Manipulation

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Account Manipulation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Users

Indicator Removal

Network Share Connection Removal

Credential Access

Discovery

Permission Groups Discovery

Local Groups

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Remote Service Session Hijacking

RDP Hijacking

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasiondiscoveryexecutionlateral_movement

behavioral2

defense_evasiondiscoveryexecutionlateral_movement