33b832ed5ea4802a7dd24baf59f5b1380e2ce20b2739cca89b6f2f0e1c6f9da3

General

Target

trigger.ps1
Size

1021B
MD5

6ef2f9449166c05acc12dbfcceaeb206
SHA1

400ccd98d4cf1a1384421ce863aa1de9d7ae371c
SHA256

33b832ed5ea4802a7dd24baf59f5b1380e2ce20b2739cca89b6f2f0e1c6f9da3
SHA512

f843aaf898a8e3b59f61dd06f1b397c77a97417502f1a0a312a77568592ed397011dad1e95ec50f6c55099d352d02d472c91b701e2c8793c05a2d9f25a589b53

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2468	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2468	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2596	2468	powershell.exe	31
PID 2468 wrote to memory of 2596	2468	powershell.exe	31
PID 2468 wrote to memory of 2596	2468	powershell.exe	31
PID 2596 wrote to memory of 2748	2596	csc.exe	32
PID 2596 wrote to memory of 2748	2596	csc.exe	32
PID 2596 wrote to memory of 2748	2596	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j1fwwkyx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4809.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4808.tmp"
    3⤵
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4809.tmp

Filesize
1KB

MD5
7e4cd71571ca746f15232b1953253418

SHA1
2d80e4a2b3e126a198322d91f43c69de8d1ecabc

SHA256
a5d2250f38466a8b2e979c482331c5f91254cd709499bd3b25d56d5c9ab5c8e7

SHA512
3e94f481d09e7657e1d4f9bf3c547729426ec7167fdc1f1e66d7f34bbbf449796ecadd8a11c5cbebaa667a51376b1e047f9114717513e28fcd6a72bcc404222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\j1fwwkyx.dll

Filesize
3KB

MD5
48496b3b3553be845b8fdd2291b5dc95

SHA1
4d3fff18d2de0aba6e3302e06ae5a4c8715ac475

SHA256
4846098bc89e8f66e08de892841257fbbe1cfa41f55d5da206e1764ca2d16e64

SHA512
dadbe0b778d0fa6c9528e0d7be60c46f188ae624c075e98f861b4072c411e89b4db8b8ddee1795ea7a8eea1aec89ee5abd6667761c60cfd24f830e60aea08502

Download Submit
C:\Users\Admin\AppData\Local\Temp\j1fwwkyx.pdb

Filesize
11KB

MD5
b67877aa7f56b88b4e79ae364f678576

SHA1
28a4b5a8a987074234e375abdccc48acd26b453b

SHA256
ce90c435fe9817d10fb35b8e477e1c7a6d0494daf3a51fc93fe9347d52c65732

SHA512
3b747dbb16844c92403cddcbd56d865c1134c0672ff02cdedf8f8610fdbf9d37553cea3564f9cba3a54241a1b54435c6d533e6f1c649aca21cdc6a508130912b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4808.tmp

Filesize
652B

MD5
e94a5a8804d7bec88dc08d635a7d289e

SHA1
229990ae911b55d829c6035942b278c9b6e8ebfa

SHA256
5d0b58f5defc6e29a80472af4d43ddf806b364e294481ce8ddfe4119d7b6f791

SHA512
afcc2e29e4fe24a7b30ec39f54026700b0cad3f036b9b145cdec257c373b63441bfc9f76b5859561573a633b6dabe886f8b37149a6198efa25e5b5f0035f0472

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j1fwwkyx.0.cs

Filesize
648B

MD5
8539b6708ddc98df3a1cd74954dc89bd

SHA1
a69c850c26e8ecd62a3dc997164d4c92617fa40d

SHA256
0b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d

SHA512
c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j1fwwkyx.cmdline

Filesize
309B

MD5
971cf9dfd79985032051bde05bb9f858

SHA1
e9c92249bb4129b97ce82e7689636abd775c2f26

SHA256
cc6051974a67ba62514b681b9823c687c3e7ea369d9a710d7621b8a84146d06a

SHA512
22f92ce564fb11897e49b81dc151e889a9b20dfbd460ee8a88967288151d336b843b171e1c5cdb87e22531f0cd88da3c329de16c663c1b8745c343918590b234

Download Submit
memory/2468-10-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2468-11-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2468-4-0x000007FEF560E000-0x000007FEF560F000-memory.dmp

Filesize
4KB

Download
memory/2468-9-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2468-8-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2468-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2468-6-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2468-7-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2468-27-0x0000000002A10000-0x0000000002A18000-memory.dmp

Filesize
32KB

Download
memory/2468-30-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2596-17-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download
memory/2596-25-0x000007FEF5350000-0x000007FEF5CED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing