c7b72d815d7f0cb35a77b0dc49181376e84f5d849223f761d55a034009d661fa

General

Target

script.ps1
Size

2KB
MD5

693de5c0e94d35e8353960bcac6ede81
SHA1

37b35dfe458c8de86bde29daf4a3347d9b44f73e
SHA256

c7b72d815d7f0cb35a77b0dc49181376e84f5d849223f761d55a034009d661fa
SHA512

141cbfe5bb35cc66fc8aced0a62247952d8814566c24937bd1bb3708f9e35fb7ac1f0733461f09d67e2562fe3e90bc2516e0efcc09401f48796f903a4a083580

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2316	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2056	2316	powershell.exe	32
PID 2316 wrote to memory of 2056	2316	powershell.exe	32
PID 2316 wrote to memory of 2056	2316	powershell.exe	32
PID 2056 wrote to memory of 2684	2056	csc.exe	33
PID 2056 wrote to memory of 2684	2056	csc.exe	33
PID 2056 wrote to memory of 2684	2056	csc.exe	33

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dytehi-9.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC6B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDC6A.tmp"
    3⤵
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDC6B.tmp

Filesize
1KB

MD5
0b259ee354cd120e3bd5d70242a5de05

SHA1
d9254bbf8d7fd3b88d25ac6583279fa48244101c

SHA256
2bf7476478c3b295133ec2d06e11979e49f9ddeec82a3f1a1f87d683db2bfb7d

SHA512
e37e3e42e1bd9302679a1c11f48acef624356838f77b3345e4bb1ac1eeecd3e5025e4e490433692770686beeb4c710579dc00ec374e2ae9ca05c2964d1a4b377

Download Submit
C:\Users\Admin\AppData\Local\Temp\dytehi-9.dll

Filesize
3KB

MD5
766a2abf0421afbd4bfe8171f2132bb2

SHA1
8dcedf2d6261e756997968c3290707e67f06340a

SHA256
cb062b5e6410da8d2d3a28240b8853b64744183bc105b671702f11b0dab716f1

SHA512
38f1d5781949ed74b8cb80b646cbc57f9ab7ab2347911ee00a7df37401a1bcc244085cb1537012c237561bd3664c2f5a5f6fd028e442b842ed983eab1d9d8081

Download Submit
C:\Users\Admin\AppData\Local\Temp\dytehi-9.pdb

Filesize
7KB

MD5
64a41fb1c3f00436ad2f10ccfa66635c

SHA1
f31d56bf81d750d3526dc2835a82243a1d1ef97b

SHA256
aa31a47a726f263a2b9742c946661390ee5c4f6450224b104cca081e6efad171

SHA512
e0d809fe53308dfa2af9440876e76af049d948a2649bf1a254acd3743a11091cb2923031063f9bc94a41efac617139adcab1b46b16ee19071c2603ab86cfca78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDC6A.tmp

Filesize
652B

MD5
6e736de6926d5bbddc4c24203a9247ad

SHA1
8a3d7bfbca3135e0eec888c6a1ccf18d3828755b

SHA256
8e5fb8814e742201534c4af197c2c7a3e9c5a64d2db47d714fc77b3469a360c3

SHA512
30b7bd6c8dd93f784b73c78e16fa5ff8b3e9497c5bb552cc25af7e719ed5a957c69e21c721acb300aa9a2a572e79887b9139697fdf9e48be5d0be2cc4bb48496

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dytehi-9.0.cs

Filesize
263B

MD5
7ef2dc814f5c082336d1fbe487a53299

SHA1
47cd4aac3e19115385f1e3e9c9f43736133c5a4c

SHA256
89bdfb37bad7981cb859d457c6da2ac99d1f6b3c8c3324b46c569f2cec1124b3

SHA512
c9e75f7c5b9d4e1156dfd52f9660ee1c3b5e0a8502de4149282d5ec8ae541d4a64a69d8a9f9027768d8fdcb17a89a7613b5a56902f66ed217c8d195e1851ddc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dytehi-9.cmdline

Filesize
309B

MD5
dfb6b8476f37750a7c5480a3881589e8

SHA1
b35fd0479c27b9a8bbe1dd89cfe70bae95d17541

SHA256
69d4ad49f909f95015d4ba01280b29b69352addf96ba055e56c926bc5ee56e23

SHA512
ac8a0536f67b02ae23f84102fc0fcd63562ea9b36da9301216f0d980682e6c0090072749b399018d574da451a1852f9e849b736cfad79638fe3da81f784688ef

Download Submit
memory/2056-17-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-25-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2316-10-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2316-11-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2316-4-0x000007FEF61EE000-0x000007FEF61EF000-memory.dmp

Filesize
4KB

Download
memory/2316-9-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2316-6-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2316-8-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2316-7-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download
memory/2316-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2316-27-0x0000000002B80000-0x0000000002B88000-memory.dmp

Filesize
32KB

Download
memory/2316-30-0x000007FEF5F30000-0x000007FEF68CD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing