66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf

General

Target

x.ps1
Size

757KB
MD5

e9bf208781b60d91292c6177677e27f8
SHA1

364f17ba1b85e4c903157cb8a897f35fa48e73b7
SHA256

66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
SHA512

3b17fc0a33cdb568ce10a78df234ecd05331d020fdd7eb52ec22e1461df0231569ce6a6d86dd1276495bfae8f4d8bf96b42cad2434c18bb170a5f96a43ca29d7
SSDEEP

12288:gcsub9WFDXHZwlfFd41W1QJzJRm2FDgM/ZR4skE8fITcH1B:gcDb9WJ+lfFd41WmzJwmDR/ZR4skE8fH

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2232	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2232	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2672	2232	powershell.exe	32
PID 2232 wrote to memory of 2672	2232	powershell.exe	32
PID 2232 wrote to memory of 2672	2232	powershell.exe	32
PID 2672 wrote to memory of 1340	2672	csc.exe	33
PID 2672 wrote to memory of 1340	2672	csc.exe	33
PID 2672 wrote to memory of 1340	2672	csc.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\x.ps1
1⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cbgkfd4p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB9F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB9E.tmp"
    3⤵
    PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFB9F.tmp

Filesize
1KB

MD5
fc2bb36bd379635c4048d0d95e1b70d3

SHA1
05902a97a65d8360441f307e0417627b1939ef00

SHA256
b2d1e1b31fae27e8b2e2c6780aed4b154da750dce16f4c5a9ff4131137b0cc50

SHA512
e57dc765bd05daa2f117b910ddeb3c983b7fd822e091bf1e9030145d572717a28a29d8fd12117d74c1f8ffb04cf7b604faffd0d2f9ba3e256f25b3a19f105024

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgkfd4p.dll

Filesize
3KB

MD5
2c5123391b8bcc3f1c4a7a858f03fb7a

SHA1
146b5534bdf82246c9b604673eaba8f5f12b549e

SHA256
aef6c1f3e619fdfbde7e35fd2b99c7e8133ae8db64a0d3a4ccb4d940d00a5586

SHA512
8d1a74c5d16db22ec081538f04107bdb08829309afe63e1e4fa3fbb456edd55740943905292e41efe2f6ef502c138d14173ea66b9479296306e065c4bbb23303

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbgkfd4p.pdb

Filesize
7KB

MD5
d160a172c5f2624b47df55abeb51ba46

SHA1
de4d2c0b679ef909a67a8732645e316be0838199

SHA256
91978a6ce09e8870b79742fcc23ccb94e2293f8c123c6f2b57a991e421ccb254

SHA512
dfd86b0d64d598857c59e5f5e0e05fb75b27c716d1a40d5c6a9e44c13f539b80a0827c67d6d559ed4d04c4d4a7d4ff208b73d246359269c04ddf3b5ff6961a39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFB9E.tmp

Filesize
652B

MD5
0b252018be0541be85c9940b25e37980

SHA1
fd7829d7e8370cb1b6525c62660b8a12313554f5

SHA256
4eb422d34dd8cd668ddb6e9855890fdd411225745090f3d5f241849e17bc3d50

SHA512
e3d9ad350e74005b135d55a896e6e1e63bc2fde9d7fceef24a8989189dfd23f8d6c537ed23a43c53e6b42168b205547d59cee327d034bac3f366158851ac1af6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cbgkfd4p.0.cs

Filesize
241B

MD5
8fb4917e625b00940362884186e9ecbf

SHA1
411618139a1de410ea9dede7810d9780014b2b37

SHA256
cce349eceaad9b3886b4ab8d1687e28a1ffdf38605610e97a9494fbb2e6c762a

SHA512
08cf41c3c1d850ccd413b3041bafb5b9926dcc0fa0e92f850b7530181b9e253751b59abde7af9c4bf9f24b6549cfe2f82e75fc81525a69242cdc598036483ce1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cbgkfd4p.cmdline

Filesize
309B

MD5
7d1255dd35eda92f80fdd957bc93a83d

SHA1
87a51da2de97b1abf59067438469f3fd7cc238e5

SHA256
d92a8b3b3f2db86b46863612d5e28ad23dd08d5cbbac54bfac40432a167cdb5f

SHA512
877fd36e251535022a57f692fa20400d40e29369d817f0820b808edda991288d731b97dd4d86a53f5997bbf4e6d15b05808245e3716169b1e445e5dbaa6d7ca2

Download Submit
\Users\Admin\AppData\Local\Temp\tmpFB21.tmp

Filesize
12KB

MD5
e6b7078b6b145749c223b63690cf7822

SHA1
562145c8fdef211277dcfe2170cad2ba862dfdca

SHA256
7c0e07e3947e1c61818f8de92cb4cc4f27481507d32c01c1287750f5ff3b6620

SHA512
0a02bee32c2ff2b7a1b3574a4ad39c77e697b09cb61773b98c08c243adf1679246cc966b8f291077f7361a0dcf31c023ca4f2eeb99a37121b7652eabf23f0d5b

Download Submit
memory/2232-4-0x000007FEF602E000-0x000007FEF602F000-memory.dmp

Filesize
4KB

Download
memory/2232-9-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-8-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-7-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-25-0x0000000002E70000-0x0000000002E78000-memory.dmp

Filesize
32KB

Download
memory/2232-6-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2232-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2232-10-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-32-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-31-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download
memory/2672-33-0x000007FEF5D70000-0x000007FEF670D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing