a33973f5db28149436244ea6de4fb1eec9f297b795b949f293bfc322504d9510

General

Target

stage1.ps1
Size

2KB
MD5

9cc29d3f5d6f3a35268cde9622b1ac9a
SHA1

241b1037acf1d713fc90239739428e3d3c0b9ad2
SHA256

a33973f5db28149436244ea6de4fb1eec9f297b795b949f293bfc322504d9510
SHA512

7a76b35c761708c4c01e2838ef39edeed740201274586649368bcd92e4edb230e68e6cd78880b68f6ef1f2bcb4785e45b19ab3da23d5dcaabae20b25ffacf95e

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 1884	2848	powershell.exe	29
PID 2848 wrote to memory of 1884	2848	powershell.exe	29
PID 2848 wrote to memory of 1884	2848	powershell.exe	29
PID 1884 wrote to memory of 2288	1884	csc.exe	30
PID 1884 wrote to memory of 2288	1884	csc.exe	30
PID 1884 wrote to memory of 2288	1884	csc.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\stage1.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2vor2nxv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B30.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8B2F.tmp"
    3⤵
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2vor2nxv.dll

Filesize
3KB

MD5
e04bc1a6737bfdf85bd8a19da8fdeda4

SHA1
ede1866b7b72fb5b3ee44c3eebca8ba5d2f938cd

SHA256
0de9d34f972e9f12815736ec76287b8e01275e20629457648ae6eee6e0af03a0

SHA512
d2fd869f3957b77a4287fc60f3b285602ab35e0aa16ce5ba95bdb6e4fdf0c5aa78a7aeda810b61aa99ac78385a4bca66ab25d3b612e1a8a44d0d6f8ece480c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vor2nxv.pdb

Filesize
7KB

MD5
53d5f9663cecfaffaceb4288c9729a6d

SHA1
6e6da9ebf9cadb3ca97789875e5d7d5dce13b0f9

SHA256
6d42c01f59dffe92f332a6775e09809fc548071502b71bf0e99218e5c4274f82

SHA512
ae75c817376e669976b54959dd70c838b79bc566848b0be8a4f133821f2b5b4e005e7c07df48f5ac2cc53c610157c6d4222798dfd86b9532d192e7c57f24f5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B30.tmp

Filesize
1KB

MD5
cde6011dc4ba54f6806ac59fe3cdf8ac

SHA1
36296fbe56bd122cc5e8c70f59caa1598fc90fd6

SHA256
368e72e37601bf6c6f1d38266ef9917f22e2cfd953ce2be1e3db4397ff28880c

SHA512
b93e2803623aa812b195ae3ba2e863ce2459904bb17a4755a8038467bf8982492029873e4b349cf98512b44e71bdbec98b93c6d5d9121a7270ac90b5352e6f6b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2vor2nxv.0.cs

Filesize
263B

MD5
7ef2dc814f5c082336d1fbe487a53299

SHA1
47cd4aac3e19115385f1e3e9c9f43736133c5a4c

SHA256
89bdfb37bad7981cb859d457c6da2ac99d1f6b3c8c3324b46c569f2cec1124b3

SHA512
c9e75f7c5b9d4e1156dfd52f9660ee1c3b5e0a8502de4149282d5ec8ae541d4a64a69d8a9f9027768d8fdcb17a89a7613b5a56902f66ed217c8d195e1851ddc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2vor2nxv.cmdline

Filesize
309B

MD5
77f1168cf33c6c5b5b196576bba7633e

SHA1
a26aa44edffc59ac3d60a2ef2beaf280d0ff112b

SHA256
0a83f259a2533ad79d0e3c744898e7e6253513e54794e99b3782b95dfd0b30b5

SHA512
1787a0cc9e3a2820501666ac7bf5fc58045b81d8bbe2d2745848a26b858023a910c0601a5493f058bb15682636ce32a4e52e068ee8c956423c60894a41321bb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8B2F.tmp

Filesize
652B

MD5
1ae2ebdedca2feade19ecd36b333d3a5

SHA1
b3c76f459f08c37e67c72fba42041ef3f4d27358

SHA256
9e3880125e8e19780a78c0302df37e54b4c72be81b2e47db5242ff5a21a72802

SHA512
c4d907912b019ed1776971bb464e81dbde22db60fba4ee56b745bdc3f3b28ae6cd0eea2cf88f5b657c63570432d37816302e8eea6554fbd4cf73291ba457f23d

Download Submit
memory/2848-13-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-4-0x000007FEF5FCE000-0x000007FEF5FCF000-memory.dmp

Filesize
4KB

Download
memory/2848-18-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-7-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-5-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2848-23-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2848-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2848-26-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-27-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing