c7b72d815d7f0cb35a77b0dc49181376e84f5d849223f761d55a034009d661fa

General

Target

script.ps1
Size

2KB
MD5

693de5c0e94d35e8353960bcac6ede81
SHA1

37b35dfe458c8de86bde29daf4a3347d9b44f73e
SHA256

c7b72d815d7f0cb35a77b0dc49181376e84f5d849223f761d55a034009d661fa
SHA512

141cbfe5bb35cc66fc8aced0a62247952d8814566c24937bd1bb3708f9e35fb7ac1f0733461f09d67e2562fe3e90bc2516e0efcc09401f48796f903a4a083580

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2160	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2520	2160	powershell.exe	31
PID 2160 wrote to memory of 2520	2160	powershell.exe	31
PID 2160 wrote to memory of 2520	2160	powershell.exe	31
PID 2520 wrote to memory of 2252	2520	csc.exe	32
PID 2520 wrote to memory of 2252	2520	csc.exe	32
PID 2520 wrote to memory of 2252	2520	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6hsyxrhz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB211.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB210.tmp"
    3⤵
    PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6hsyxrhz.dll

Filesize
3KB

MD5
a8ed5768f03ad6404f612ba9f2740e33

SHA1
a45918a234510ab42d67f5294dddfc690fee068e

SHA256
184632ceb6e9828c6071f358d39bb60defcb26d3cb62c470dff27d6fab5ce42d

SHA512
3bb76e1ea50890d6f6947fc3a0423b62a5417fb7028a86c82b2edb1df1e41f1c9182d4b99e2c40fe11f0b9f4db5e8d62aa4d13a45da7656fd8f8c7dbbba91ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6hsyxrhz.pdb

Filesize
7KB

MD5
3247c2611a67f5b483fb4c86bd35d4a5

SHA1
61232102c4b820353f06e8663105c134455cbcd2

SHA256
c4d375248c6932f22ce36aa53a5a1cd9d3ad48022be004ed7b8c2325f95bb6dd

SHA512
28de783e733349c7f0ab4a467df2df3a71c20a7366ad1d65dfab876fbdb10b088c1c8cb4936f0ef71efd3f93524e9ae20d28f0bb59a7f37d2e871c8aaa182427

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB211.tmp

Filesize
1KB

MD5
625daa96f36aa6f6ce81c0e4d1c7f2b7

SHA1
a973e6d21e74cd422f5e21b3665b1688c033cc44

SHA256
d541c49b904345ba8bfb80ede5beb6a950bd95c23b345a9b90429392dd5b535d

SHA512
31f3db35a3922211a903739073c0801658f09cbba6c93b5b6b5d66f94a00b364f101bf4bb8e537692f1801f17d59f4556818a45cd54ecd53bd2bf2e968e07a08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6hsyxrhz.0.cs

Filesize
263B

MD5
7ef2dc814f5c082336d1fbe487a53299

SHA1
47cd4aac3e19115385f1e3e9c9f43736133c5a4c

SHA256
89bdfb37bad7981cb859d457c6da2ac99d1f6b3c8c3324b46c569f2cec1124b3

SHA512
c9e75f7c5b9d4e1156dfd52f9660ee1c3b5e0a8502de4149282d5ec8ae541d4a64a69d8a9f9027768d8fdcb17a89a7613b5a56902f66ed217c8d195e1851ddc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6hsyxrhz.cmdline

Filesize
309B

MD5
bc24ac3b778d16bed72eaf3617649f16

SHA1
e37571eced5c828e14e6ec970eb6c8183768487d

SHA256
94c575ec80ce16fde47c192fb1355b99f0d3412c70b2ced587ac74617988ef41

SHA512
a98f21eaa1e2b0f875b82008efc585278b15dea5c82e2c4fc4534ac9e5989e7b484207629871a330c89944ae9e2acdcf99cda68da3fd9fcf0b2f24fbdacbf69f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB210.tmp

Filesize
652B

MD5
4bb555edfdb91d4f1bf235a102c23f3d

SHA1
90216af1aae855b20e87edc8bdd9ca0c1c64dbd2

SHA256
07804ba2f87b4638d265f96debceea28dfbe2a91d6a4e3c9236aa23ee1c20451

SHA512
9a040f22dddac0fb303918ffb6c40343fde810e1fccdf865d63e4ce5a8fff4657b15b69045dc9d815dabdafaa4c5d627e8ad8d20bfaf39168587d1bfd5d54681

Download Submit
memory/2160-10-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-11-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-9-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-8-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-7-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-4-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmp

Filesize
4KB

Download
memory/2160-27-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2160-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2160-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2160-30-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-17-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2520-25-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing