1ee68dd6977f00a68a00b3331b728eeeffb1b0b0fc95c4a71594bef995f80bd0

General

Target

Test.ps1
Size

2KB
MD5

1bc29571638a14d15437d650c7f8b5d6
SHA1

4a31f2ec99a7747af18cf7caa96950b80601da2b
SHA256

1ee68dd6977f00a68a00b3331b728eeeffb1b0b0fc95c4a71594bef995f80bd0
SHA512

a9ccfc4e7da5f4159b0056ee738bb95262b9fb74baeb7844efad31331a60a13a34ab4784712a8d59f11b5557e48eabd4872bb05e80139ec08510fabf76ba5eb2

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1740	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2448	1740	powershell.exe	31
PID 1740 wrote to memory of 2448	1740	powershell.exe	31
PID 1740 wrote to memory of 2448	1740	powershell.exe	31
PID 2448 wrote to memory of 2736	2448	csc.exe	32
PID 2448 wrote to memory of 2736	2448	csc.exe	32
PID 2448 wrote to memory of 2736	2448	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Test.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\531bem6p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES932C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC932B.tmp"
    3⤵
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\531bem6p.dll

Filesize
3KB

MD5
77fcbf8a6f60a04c22d8e9439b35dfc9

SHA1
9e06897ab3171e8eaa10d2d89fa6d978cc149f57

SHA256
c3b6f908a4d62eab83142e3157bc2f63c6fc3e9123bd921166c35a2d907f0d64

SHA512
f50e48e7a8cbb9b5cec43b53e4f8367dbcd5f99ab48a249ef9358a47732225a04de906981627cb5839623ed01efb59dedcbf700fdbea1e5ec7f14c656575d000

Download Submit
C:\Users\Admin\AppData\Local\Temp\531bem6p.pdb

Filesize
7KB

MD5
1d034764d44d853c4ec13d0ccec96a11

SHA1
33b0a8641636f87433833411e4cab619051b101a

SHA256
65759cf001d3bcf0d2eeb3547e2098fc0d14bd4f58e971ae4b23c493b8baf6ec

SHA512
1487854b4eec55ad9c04e05106d1c40c0909cec12178db3563719ff56fc2be6010dbc929dbdb3466c79e7dd0190d1d6d5e1f2da721fa024da07864a1dffb7a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES932C.tmp

Filesize
1KB

MD5
66692f2ae0cb095f84ec2ba1598cfd54

SHA1
ece10bef775c6e33fe06919bce19d86dc51fcdaa

SHA256
67db914d0b7508ae641ffb418931dda772c78a891e82a9f233f869217673492b

SHA512
2a11543132f5406076a7bf8ec5ccffe06b1b85c8ff751fb274dc9163654cda911955fe3436296bf0c33f8ea603cd2dc4f2ebc939ffffc35d10a5ae22e07d112e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\531bem6p.0.cs

Filesize
263B

MD5
7ef2dc814f5c082336d1fbe487a53299

SHA1
47cd4aac3e19115385f1e3e9c9f43736133c5a4c

SHA256
89bdfb37bad7981cb859d457c6da2ac99d1f6b3c8c3324b46c569f2cec1124b3

SHA512
c9e75f7c5b9d4e1156dfd52f9660ee1c3b5e0a8502de4149282d5ec8ae541d4a64a69d8a9f9027768d8fdcb17a89a7613b5a56902f66ed217c8d195e1851ddc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\531bem6p.cmdline

Filesize
309B

MD5
1ffdb8ed5ff6174e03695b914cd4231b

SHA1
0a67f42ac1a160b9296a0469ac09488fa5392e78

SHA256
7358c79e4a04fc32d04e9a211448f29e865dfa0e5b7e18397a5cc76d36f3784b

SHA512
78304ff99b7315d0d0abd17d38a0b6237c8e772484af113ed480e36ecb255d07346f566525abcaf8bbf08f9e34931b0f002b9ecd74497017eb4bff252bb193bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC932B.tmp

Filesize
652B

MD5
d65abfaa0b8f7ddf72f692534815ff04

SHA1
eec2d2b97961489f7d8fe9283440e8fe21c8f1cf

SHA256
bdd0ba4fdb05153aca1690a32cace234467ea91a591ea5137021c52e17f68fed

SHA512
77c1614a3ec7ff92aabf31043dea810bd943f5b94d97a45af7441a2f207993e4e97971626e9b59872bd6769d815df0e51ede9d0a303ca6188043aa45eea957a2

Download Submit
memory/1740-11-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-10-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-9-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1740-8-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-4-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download
memory/1740-7-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/1740-27-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/1740-5-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1740-30-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-17-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2448-25-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing