8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39

General

Target

8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39.ps1
Size

1KB
MD5

35c92f4cd446344a166cbf83dbf0ff15
SHA1

e06f98c2f5f82eab44226937d5ce29600f407dcf
SHA256

8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39
SHA512

63128bbe01c0123b5131ed863759dfc19f036dfb53f2d62e15b24f5f3c1df2c8391f48881919741e599c4c922e95b9f7395b9da15d40b7e3655358a9832296da

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1568	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1568	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1568	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2460	1568	powershell.exe	31
PID 1568 wrote to memory of 2460	1568	powershell.exe	31
PID 1568 wrote to memory of 2460	1568	powershell.exe	31
PID 2460 wrote to memory of 2384	2460	csc.exe	32
PID 2460 wrote to memory of 2384	2460	csc.exe	32
PID 2460 wrote to memory of 2384	2460	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8bab4ba0004cd3a627a59e3877ec92ebff143a4810667b042e57ce168cf44e39.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lupax0ky.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB674.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB673.tmp"
    3⤵
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB674.tmp

Filesize
1KB

MD5
03e1bc5b284d0bc4f1fdb4502336aa39

SHA1
0b1cd19cd5d97622599ea3ddf1c514c7c10686fb

SHA256
95c3b69274e73df29c1cc0cd1d003f4563cf5128fb6f671182a0f08b1146a763

SHA512
ac3a3441e5a412499fe55b69360f29b53f42d2344e0fc6836748c7d762c94bf6bbf251b4233424640d1adab05ebf77849f7926126d1653dee201e1bf9930be50

Download Submit
C:\Users\Admin\AppData\Local\Temp\lupax0ky.dll

Filesize
3KB

MD5
4eee766b98481a05a08adcd74f14c972

SHA1
48b3e3a6251c3d6e540c7a5214bbb595f04cc4a6

SHA256
d61ee4b22de73ffd0cebac60f9d099385eadd5c9181b42beb0454f6638543ea0

SHA512
f088227c36384f13f28ef1998e36e142743f70fa7b32a41c6017430e8cbd3b1b2f9b43d886ed59721f40ed9b7e5b2e0e4b9bc31c0c40751be918e904d0cfd0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lupax0ky.pdb

Filesize
7KB

MD5
2aef03ea3124534ab5cb02c96f3b6324

SHA1
1bd74dc20760499a00f3a8177a712e60b538cb9f

SHA256
78d4f7c2e4e74158e733c7e3c03e82ad3c1fcb0b0e5827987b972ed7e7d83789

SHA512
4e1658f399a1dae5f350f785fe05c6b7f29c44b6a9515549fae15cc494298057bb343bd70860d4b913b25d8d100cfbe46c6806534e0c384f845cd436d88728db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB673.tmp

Filesize
652B

MD5
e947dd1f66024fff59889867a73f3444

SHA1
d100c5f4b81c595656e43702b5db57a9eaa0c396

SHA256
04d7cb11e88cad2aa62625a03175357f6e938bdf6ac5641b2c66f13172257f46

SHA512
7bd9cea943e93fd5b565b5ec172756f722ae0d8f5f9b7dd2e92a0a73b1d8b3edbe7fc3544f1513eb580ac9ad947038df8ad1a59201fbe21fdeb56844dabfe5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lupax0ky.0.cs

Filesize
267B

MD5
23153877f0e70049d7f366448cc220bc

SHA1
2851269291a02ad0c7b60cb6ff7395bd1a20c659

SHA256
d7ed9035e9940848f250a57fb4f99e509e3fc50e4b5cb7be13c7ffb4787508ac

SHA512
82f29b8507abed31d15c2cb892c338debe6a2538c6be2c6741fb9c8afe76d26c43ec8b7060c37b1f91d1c475581e3bb816033bd09389d3973349a3b6e17af1a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lupax0ky.cmdline

Filesize
309B

MD5
a6ea626062e7a0b6e0f8f3b29c4437b0

SHA1
b0dd5871df7efaeb5523e41e58cc7a47bde3d4fc

SHA256
ba79cb23c243a4ed74e3639bfdfc4e7ae8ca5d8bacf8b04576d171adb18ce59a

SHA512
38b8f396111da6abf47dbe77a96f2db07fa366b375004bddd3662de4a4ef6e8fe4035edcb2eab1f917d91d2cf0cf4490478d1f266729a870d0d12cb407e02c5d

Download Submit
memory/1568-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1568-9-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1568-4-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp

Filesize
4KB

Download
memory/1568-26-0x0000000002CE0000-0x0000000002CE8000-memory.dmp

Filesize
32KB

Download
memory/1568-7-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1568-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1568-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1568-13-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1568-32-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-16-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2460-24-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing