66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf

General

Target

x.ps1
Size

757KB
MD5

e9bf208781b60d91292c6177677e27f8
SHA1

364f17ba1b85e4c903157cb8a897f35fa48e73b7
SHA256

66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
SHA512

3b17fc0a33cdb568ce10a78df234ecd05331d020fdd7eb52ec22e1461df0231569ce6a6d86dd1276495bfae8f4d8bf96b42cad2434c18bb170a5f96a43ca29d7
SSDEEP

12288:gcsub9WFDXHZwlfFd41W1QJzJRm2FDgM/ZR4skE8fITcH1B:gcDb9WJ+lfFd41WmzJwmDR/ZR4skE8fH

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2036	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2036	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2036	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2684	2036	powershell.exe	32
PID 2036 wrote to memory of 2684	2036	powershell.exe	32
PID 2036 wrote to memory of 2684	2036	powershell.exe	32
PID 2684 wrote to memory of 2760	2684	csc.exe	33
PID 2684 wrote to memory of 2760	2684	csc.exe	33
PID 2684 wrote to memory of 2760	2684	csc.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\x.ps1
1⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0-3zf0ln.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9E3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE9E2.tmp"
    3⤵
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0-3zf0ln.dll

Filesize
3KB

MD5
787c6e3893d4cd89269992a9f5f3d34f

SHA1
edd3697d5a2e7a98289ecc362bf6634ac304fde1

SHA256
4e7c76140a21e45c534d1e198daa4ee9a2cbc210c1c28c483a28a0dc80a8d3eb

SHA512
e9ecec7cf6c0934062f3c1e81a32278906b4371305f03a09bfac2c1c2f303fb21386bad8aca28d896f07e80f64a84630da0db563788fa21efaffb7c7f6504485

Download Submit
C:\Users\Admin\AppData\Local\Temp\0-3zf0ln.pdb

Filesize
7KB

MD5
1b71967586e4348bd12920055ba43074

SHA1
fee81b7e8e54da5b27dcec10e515fb7a53eab854

SHA256
d9ae551de2a13931317ca2cee971d8e8e41f84f87ecc72018c8705294d2155b7

SHA512
e3213b57f4d5c27c72113106fdb08ae4e719f2f575ed85931ef59351477e9104417bb6752c8d60bebf7c2144ea62e259e794270531d148f6d8f260b0626c4314

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE9E3.tmp

Filesize
1KB

MD5
2c5e0009fba992d7af53b431d70b5685

SHA1
eb816e35e89e3dd9a5247942a939f4cea539d339

SHA256
9ae72eebccb72b29ab10543e1177c684de1a4cef69cd0072b1a8a9678364f97a

SHA512
4b87d1e23c014b64769cda504e3f331062bd662bf5cd2278dda14fbfc9217e7db7ad8dbc798e745e368345acac6e83ebe248c5f7d747ae94f59cd51b6ba2ced4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0-3zf0ln.0.cs

Filesize
241B

MD5
39b16906bbf5534bb4717f375f3a5988

SHA1
aac48f40f360586f5eb5bd090bd4d0fe41da734a

SHA256
3eda6dc6369b39220fb30e52264e95eb8e49c2f6d38692e373579a7a0aa9db85

SHA512
556b49f8e33c9348ae4394b4aca74d93ba269686d60415cb574790a4f5e2b459ed00ae1f85c8c6eac648f968f15948079c63c1db722d7a10634af7fc07efeb37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0-3zf0ln.cmdline

Filesize
309B

MD5
63b078b235bce9cc464f11d1a246fcb9

SHA1
4e11008aff8b024c9c8f551c9575709d941c9b62

SHA256
d41aef2d763f7f1edaa371f3e2777c7f6dc97a11f1c5f21bb59988ff6ed065cd

SHA512
81fec63ddaee99087288d6677ecf6a5f6780917d7b2b622208dfbdb160194269860ab342aeac8ae0b96da62440a063468fb205c604050fb9feb3923c800b272e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE9E2.tmp

Filesize
652B

MD5
dae0c44eeb8b4a556d9f204439724bbb

SHA1
b22e92048f9be05b7363d9cea296db4be760765e

SHA256
62852bba89b534e8f8e98bd4e10fcc224a7d5205cae90525315c7bc7ea073504

SHA512
e2e8dde9063eacfd2ca09b4100c5e4a613c88217419ce5b8918e9296514e31a831bbd7dab2617f0b4438301a716504bb0a70f13d2630d706e5e53ab4c9e72d4a

Download Submit
\Users\Admin\AppData\Local\Temp\tmpE782.tmp

Filesize
12KB

MD5
e6b7078b6b145749c223b63690cf7822

SHA1
562145c8fdef211277dcfe2170cad2ba862dfdca

SHA256
7c0e07e3947e1c61818f8de92cb4cc4f27481507d32c01c1287750f5ff3b6620

SHA512
0a02bee32c2ff2b7a1b3574a4ad39c77e697b09cb61773b98c08c243adf1679246cc966b8f291077f7361a0dcf31c023ca4f2eeb99a37121b7652eabf23f0d5b

Download Submit
memory/2036-4-0x000007FEF559E000-0x000007FEF559F000-memory.dmp

Filesize
4KB

Download
memory/2036-9-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-8-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-10-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2036-7-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2036-28-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2036-11-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2036-34-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-18-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-26-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing