13848f74c576b1624b6b64dd556791a7b40b7fee6a0fa7ea6ce3f82c8cc98b2b

General

Target

gg.ps1
Size

1KB
MD5

4c1d5a75dc7dbff21097fb5a63bedfec
SHA1

d3a9435b41227be9617e472adbcc60c93a970c1a
SHA256

13848f74c576b1624b6b64dd556791a7b40b7fee6a0fa7ea6ce3f82c8cc98b2b
SHA512

74770ffea4ef1b427a8dd06b61f2f11990cce7034ee29fcb29d5470c5628338aec6454503e7592b4c75e5fdac3f21f5e5a1f12c6b57c972cafa70bc558705968

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2104	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3040	2104	powershell.exe	31
PID 2104 wrote to memory of 3040	2104	powershell.exe	31
PID 2104 wrote to memory of 3040	2104	powershell.exe	31
PID 3040 wrote to memory of 3016	3040	csc.exe	32
PID 3040 wrote to memory of 3016	3040	csc.exe	32
PID 3040 wrote to memory of 3016	3040	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\gg.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\omayruvg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC5EE.tmp"
    3⤵
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC5EF.tmp

Filesize
1KB

MD5
fc018acadcf828ba69c860733743dafe

SHA1
54bffc72093d673624243ea26ef56a2cfa45760e

SHA256
bebc1747478596c83e8ef9de691f3c6f46c7431883e7bd7d316e34def67e409b

SHA512
fc2890d4cab35546050839797d86d1ade25ddcf24593eb82996d4c31663af2e23cfbfe68348b1ac9c8cef58d48e75056669f80684f8a363cb3839c8aaa8e88e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\omayruvg.dll

Filesize
3KB

MD5
31cc582d17744e96009309699ff8836f

SHA1
12b4ca29645c187c9bd5f62267c55af359b1ce39

SHA256
9c9c2f358fbbde6218397d9bb3cad3b196b9500cf89f11f00852497c9b75f15b

SHA512
82cac14956ea4faf79d578268c5d084ff2a66df910cd57594a8b77dbcfdeb051f6d6e65d5e2c6341128e7c331a1fee38f0ebf89649eae09d1db6350de83228f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\omayruvg.pdb

Filesize
11KB

MD5
7682ef0419bc8cc3c3977bbc87e8b1d8

SHA1
53730285b77d0cc7305f986ce1b112a007dc0f28

SHA256
00ad2df45739f2a0384ab11a05a0e8657a318ddca687bb92f18a84535e8faf22

SHA512
b9e46f1b4c73092bfb78c7b8071470d1d45a8075667f5cea21a35cbce01308633949c3c35c01aaec7964a78ed4ab7293ebd4ce38f20f9927578605f1578bfc41

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC5EE.tmp

Filesize
652B

MD5
97bab09fd898665e109a766cd0381c51

SHA1
24f2eae72af5f7610d301ac3462181cc0411644f

SHA256
ef330ec0ebf8e49dd58edd727a99b702ef6e5e329345e8eefd3de8d15e9a2126

SHA512
4fd1e0fdfea382a748c883a7e6a17fdcfb713b5aad4736b47365b1a55a84d35bfe69cd638ceb490b5a2c3c21b330b28f0f87022c947f4bddf34a7f08ea09cc18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\omayruvg.0.cs

Filesize
648B

MD5
8539b6708ddc98df3a1cd74954dc89bd

SHA1
a69c850c26e8ecd62a3dc997164d4c92617fa40d

SHA256
0b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d

SHA512
c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\omayruvg.cmdline

Filesize
309B

MD5
291f4ba838c7f3961d15922a2e9fcc66

SHA1
2a92468c0fcd93dff6142cb78938df76016e37fe

SHA256
c793f61a64029ab4c87f6ce025a876d40834ef07464716b416ba527429d7ac6c

SHA512
744af51041418b2a7c7ec8ca73fe1d57e84fae3de6cfa94dd105a379798693d11985c3f5f53947f091c27d7486282dca624b06d70bccade82d03e835b9a4fd44

Download Submit
memory/2104-8-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-11-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-12-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-10-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-9-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-4-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

Filesize
4KB

Download
memory/2104-7-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/2104-6-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2104-28-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

Filesize
32KB

Download
memory/2104-5-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2104-31-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-21-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-26-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing