8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

General

Target

r12d12.space_b.txt.ps1
Size

1KB
MD5

35c92f4cd446344a166cbf83dbf0ff15
SHA1

e06f98c2f5f82eab44226937d5ce29600f407dcf
SHA256

8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39
SHA512

63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2296	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2296	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2296	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2848	2296	powershell.exe	31
PID 2296 wrote to memory of 2848	2296	powershell.exe	31
PID 2296 wrote to memory of 2848	2296	powershell.exe	31
PID 2848 wrote to memory of 2952	2848	csc.exe	32
PID 2848 wrote to memory of 2952	2848	csc.exe	32
PID 2848 wrote to memory of 2952	2848	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\r12d12.space_b.txt.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\immdr72n.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB0D8.tmp"
    3⤵
    PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0E9.tmp

Filesize
1KB

MD5
4bfc1ce222a845a7ed2c61b6182be802

SHA1
a664ccfe7fe956945586f36cb821eda947c496b7

SHA256
2a1aad743ad826b1c268620be4cc0fb9d419f5faa3d0c6cd4cce9ab1e968ea9e

SHA512
e516d8cd872f2fc347e473cd88990be934f5256c1b070d249df7d0a81b1d63f9be34def4136036aaf63e4e3cb78cbd8fd5e394ab551461d3d27474acdb388bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\immdr72n.dll

Filesize
3KB

MD5
fceba777561a488f319fbd73401bd51d

SHA1
8e479d4668817716049b94d7fb91d89c7854b2a1

SHA256
757075f0986574cfd519de84b3fd6689a97967e129cc4fee9d4ae4751d37efb2

SHA512
d133692026a72e1c87bba93b6c45c19426a6bdbe23f182da432512b3533029501782efb36c2709c4f51c7bd5ee9e9f7605e2669db0c15890e66ae8ae249b3755

Download Submit
C:\Users\Admin\AppData\Local\Temp\immdr72n.pdb

Filesize
7KB

MD5
e0e2025f29b30539d3fe95a6b920c5e8

SHA1
a083a67d3d8c9bbdcc5c24c6ef79479622a2559d

SHA256
e91cab1814f80134a69ccabc19e8d9177bf94923eaf5b9d9607545afd7d0a714

SHA512
57cce37c6d37f082a904296fdd570ba5948e62ab9405a5518751d3a453f96c2a2f98f1ccb9f58d7f11303e27181e612f4a57ae6e10f4dfcddda1af950f23186b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB0D8.tmp

Filesize
652B

MD5
536a9c9f44760cd9d353c573cb61f965

SHA1
480564d71ec00d2aa19ea42da4e9d1293f7e87b5

SHA256
625778940558e1aa4ceab00559c8d7785b244f2db00237794c0bf4615d4652e3

SHA512
d275495c0b823c6016f9d737469e0da9d248bafb38b1052bc36677aa4d243afd848fc41e501761cd79e90c3470d8600221a58a9f3a06e10843f9100a5a425a6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\immdr72n.0.cs

Filesize
267B

MD5
23153877f0e70049d7f366448cc220bc

SHA1
2851269291a02ad0c7b60cb6ff7395bd1a20c659

SHA256
d7ed9035e9940848f250a57fb4f99e509e3fc50e4b5cb7be13c7ffb4787508ac

SHA512
82f29b8507abed31d15c2cb892c338debe6a2538c6be2c6741fb9c8afe76d26c43ec8b7060c37b1f91d1c475581e3bb816033bd09389d3973349a3b6e17af1a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\immdr72n.cmdline

Filesize
309B

MD5
22799cb616ba4983f9fb38b1b49e2ec7

SHA1
aa71ffe91d78765c85c91fd669b1bf9642874f4e

SHA256
f879f1032fb77ee661ef951c67a80052643642bc66d1b09bbdf36ed16d4a7620

SHA512
814659c5273a2518988e4064fd8e96ad2b4cd0b6ec3d41f9fc4df29efafbb11718f9dcb98c12e998607d203e3e973b17216becfa6b8ce81a7952dd5625610964

Download Submit
memory/2296-8-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-10-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-9-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-4-0x000007FEF50CE000-0x000007FEF50CF000-memory.dmp

Filesize
4KB

Download
memory/2296-7-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2296-6-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2296-5-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2296-26-0x0000000002B10000-0x0000000002B18000-memory.dmp

Filesize
32KB

Download
memory/2296-32-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-16-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-24-0x000007FEF4E10000-0x000007FEF57AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing