66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf

General

Target

66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf.ps1
Size

757KB
MD5

e9bf208781b60d91292c6177677e27f8
SHA1

364f17ba1b85e4c903157cb8a897f35fa48e73b7
SHA256

66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf
SHA512

3b17fc0a33cdb568ce10a78df234ecd05331d020fdd7eb52ec22e1461df0231569ce6a6d86dd1276495bfae8f4d8bf96b42cad2434c18bb170a5f96a43ca29d7
SSDEEP

12288:gcsub9WFDXHZwlfFd41W1QJzJRm2FDgM/ZR4skE8fITcH1B:gcDb9WJ+lfFd41WmzJwmDR/ZR4skE8fH

Score

7^/10

execution

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1504	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1504	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2404	1504	powershell.exe	31
PID 1504 wrote to memory of 2404	1504	powershell.exe	31
PID 1504 wrote to memory of 2404	1504	powershell.exe	31
PID 2404 wrote to memory of 2780	2404	csc.exe	32
PID 2404 wrote to memory of 2780	2404	csc.exe	32
PID 2404 wrote to memory of 2780	2404	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\66b3309146e34ae971ff0b5933d2392c9016ea8c8fef2b41b66bb11f6dd84acf.ps1
1⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vpmrjhlc.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB33A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB339.tmp"
    3⤵
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB33A.tmp

Filesize
1KB

MD5
e403de0ab7c53eb8b36b9c53032575a8

SHA1
5c793b722a2c2deecfa61f803e04f464cc9a4c0f

SHA256
2db6758ffc78f9a7ec542b7a8a5f5fc893af6be3506a199de1df25437ae6d8a2

SHA512
3c7dbf6b6dbd7873246a2f416c165f524507923aaf62a8f13f39a288ec05df1e42f54f40306ead1e344d36b1f05d53b120d35a5a3203d80c992ab24b0eda6c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpmrjhlc.dll

Filesize
3KB

MD5
99477aebf8f76bfaf9a01bf5291cf33b

SHA1
a1fad11f81991896d46944c66324352c0ba8af9e

SHA256
44d7ecca2848da0d6b89c152400a0d95eb8367cf95464ad82ecbca3f1474193e

SHA512
0873076ecde6039704559242c74200c59c1584799c2c2b93abc7d8740741d9f71cebce15d1ddda1d1746cfc9c0434d93597b1bf0067abfba38c86e58ae6897df

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpmrjhlc.pdb

Filesize
7KB

MD5
057428a90537f0aca8aa8bebf445262c

SHA1
e156221e9a04f11f12ac487b0e42a7c98fcf7e7e

SHA256
f13834f81db72048bbe0d626862212a7ca8f41e11f20374b06705074e5237ace

SHA512
b9d853d9a23225530c0463c8b8813d93340248f9bbabff1bdae7f5a8c3cf003bbefb1361a6665e51080d0b4d822a3dd5427b0dae6096615766d6b681f8a8b447

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB339.tmp

Filesize
652B

MD5
3b7c6f52fbc9dd31ac3bae224e122a3e

SHA1
5498cbcccb89312dda431787ab5c1ba8a1787686

SHA256
b71ae23e96a099c47f5e01335c2e51776367c18193c909efb97432dc8029d393

SHA512
ad236fc4045d0772e52ab99e4260d49749312476ce8994eda5990a4b7493321b3c63a42b8a8938f594b8b6feaa20c5c6de37e2a9b70cedfa542c34cdf2826ab5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vpmrjhlc.0.cs

Filesize
241B

MD5
d2aa4def104fad7e2642ab34cb86517f

SHA1
595de7362bb05e2dc2d8314e0396bd87100b1135

SHA256
ce52b8d01ca537f006ef052acbcb4b2df04a6de7c2d450eafbe25b3ff030c64d

SHA512
47d0989031d9c76e7f8c9153574ff76943755d4e4021bf396d630937ac6776a1f3875428ab18cb70f6d4c3bb0080fca3662df0ced5b4f23450ab5ba05e57d670

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vpmrjhlc.cmdline

Filesize
309B

MD5
3c130ea86f2b76c19e518c3d4b538821

SHA1
5100abb5a5bb1340e99f4899256dbdd031b5af7e

SHA256
ef465373cf598ac8773db4add9365487ae85ae9547adfc20b8cd3bde8b16400d

SHA512
49bf155f18a791ad1d7030033cffcdabdc910a23e1c271ec02ae3c0c137be87e31dd6cfcbfe41b7d0476c12a989ed587640e094899e8018052f9113d842273ee

Download Submit
\Users\Admin\AppData\Local\Temp\tmpB27D.tmp

Filesize
12KB

MD5
e6b7078b6b145749c223b63690cf7822

SHA1
562145c8fdef211277dcfe2170cad2ba862dfdca

SHA256
7c0e07e3947e1c61818f8de92cb4cc4f27481507d32c01c1287750f5ff3b6620

SHA512
0a02bee32c2ff2b7a1b3574a4ad39c77e697b09cb61773b98c08c243adf1679246cc966b8f291077f7361a0dcf31c023ca4f2eeb99a37121b7652eabf23f0d5b

Download Submit
memory/1504-9-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/1504-4-0x000007FEF513E000-0x000007FEF513F000-memory.dmp

Filesize
4KB

Download
memory/1504-10-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/1504-11-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/1504-8-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/1504-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1504-5-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1504-28-0x0000000002A40000-0x0000000002A48000-memory.dmp

Filesize
32KB

Download
memory/1504-7-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/1504-34-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-18-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2404-26-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing