33b832ed5ea4802a7dd24baf59f5b1380e2ce20b2739cca89b6f2f0e1c6f9da3

General

Target

trigger.ps1
Size

1021B
MD5

6ef2f9449166c05acc12dbfcceaeb206
SHA1

400ccd98d4cf1a1384421ce863aa1de9d7ae371c
SHA256

33b832ed5ea4802a7dd24baf59f5b1380e2ce20b2739cca89b6f2f0e1c6f9da3
SHA512

f843aaf898a8e3b59f61dd06f1b397c77a97417502f1a0a312a77568592ed397011dad1e95ec50f6c55099d352d02d472c91b701e2c8793c05a2d9f25a589b53

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1528	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2340	1528	powershell.exe	31
PID 1528 wrote to memory of 2340	1528	powershell.exe	31
PID 1528 wrote to memory of 2340	1528	powershell.exe	31
PID 2340 wrote to memory of 1688	2340	csc.exe	32
PID 2340 wrote to memory of 1688	2340	csc.exe	32
PID 2340 wrote to memory of 1688	2340	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1upxpdji.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EC9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8EB8.tmp"
    3⤵
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1upxpdji.dll

Filesize
3KB

MD5
37a34611653e711d4ee608d67563c652

SHA1
e6c03c40b8201e61adfab2e83e0263bddb68cc36

SHA256
1ee366fafe8d50440e4b05bfc01fe0a0b5372503fb3da352fadcf7cc9b20d7ab

SHA512
b48eedab84e8cad11be7d3b7770e0931c6ba2216594350adfc61b74e44ac7ac0c5d565f11a36fa548cab69fde3f535729f9623602c0dc8eb3c2cd507de48f84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1upxpdji.pdb

Filesize
11KB

MD5
d6932f9fcd5b26822e913b6e7134f3f3

SHA1
c41e7589f071eb99845f5fe1680dd20dc1970195

SHA256
e84aa7711d4eb7ebc24b4453115a499839521f415b281be1da3aaf029f0eb82b

SHA512
1a39288e1915455c21b0ab278a27bd941043e05d8ec1a6d51e9aa73fbe85c63d491bccb3dc256dbd2b4cb273b6bfa846f263a862694093b57b47f836d28a8b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8EC9.tmp

Filesize
1KB

MD5
b39b2949d83efc4f6d8091992ebcea53

SHA1
585c097b1b39100cdf61530f97d68f3a25f86bb1

SHA256
3cd96e39c22eb0cc14e06bdc757da762325c3fe25b234ad3979fe365128659e4

SHA512
aa99655ddf4111d3d5c6afc3f3c500ae28b050b27b3dce651e96938c939d151dc4c73443de86ae593a94f1fddd34583740bf4155e305d76b8f3506152d3c586f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1upxpdji.0.cs

Filesize
648B

MD5
8539b6708ddc98df3a1cd74954dc89bd

SHA1
a69c850c26e8ecd62a3dc997164d4c92617fa40d

SHA256
0b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d

SHA512
c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1upxpdji.cmdline

Filesize
309B

MD5
891af980be8f1dba3e12436a60f22d59

SHA1
0308227491fe275fa61b64410d7370d84d4a5c91

SHA256
82a8a7f3660e76f135df800bda9af1f2ad191b111c25654c80e0cd1e9abaf05f

SHA512
6fc7b8cd039788d02520403b7e9cbc76727ad1f37accd59f0a3e1360a7eb27f8d24bec78ebf4d1cab1f689131a51ebc85a5dc462339077ab941e33e742182161

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8EB8.tmp

Filesize
652B

MD5
786b4070f79b0898a75c8532d32d6c10

SHA1
46ba64c66001f2f5bd2dc615ba9fdd65511b345b

SHA256
7f4c0540a516bacc306f248bfec01df66ee10feef183869e2be777add92ff858

SHA512
b19c8657fc69846fad6fc701634baabcabf4adb23a1e2b9a8e64e4c97ef1a77e146bd4d5ddf4b2250241ad35bfa723df6bc14df01f180cbb7d3246c09d45d497

Download Submit
memory/1528-10-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-7-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1528-12-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-8-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-9-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-4-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

Filesize
4KB

Download
memory/1528-11-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-28-0x0000000002A00000-0x0000000002A08000-memory.dmp

Filesize
32KB

Download
memory/1528-6-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1528-31-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-18-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2340-26-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing