Overview
overview
10Static
static
102020.10.29...3d.dll
windows7-x64
32020.10.29...3d.dll
windows10-2004-x64
32020.10.29...f8.ps1
windows7-x64
62020.10.29...f8.ps1
windows10-2004-x64
32020.10.29...05.dll
windows7-x64
12020.10.29...05.dll
windows10-2004-x64
12020.10.29...16.dll
windows7-x64
12020.10.29...16.dll
windows10-2004-x64
12020.10.29...42.ps1
windows7-x64
32020.10.29...42.ps1
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
27/02/2025, 10:04
Behavioral task
behavioral1
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405.dll
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
Resource
win10v2004-20250217-en
General
-
Target
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
-
Size
1.2MB
-
MD5
0fd79f4c60593f6aae69ff22086c3bb0
-
SHA1
07f0692c856703d75a9946a0fbb3c0db03f7ac40
-
SHA256
a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
-
SHA512
28a0ae0a779aa88499f70cf97ef9db9482527017ea76ee2e469e4184684c4d4fb0559e50f1721e7e9d02655bee4cdf7b12c62a3d037ea10130121cfbb772e250
-
SSDEEP
24576:jarQlVyeHtWdf7PyJjwLKWp57+7fb0TLaB7VrE:jD567vs1tm
Malware Config
Signatures
-
pid Process 3652 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3652 powershell.exe 3652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3652 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3652 wrote to memory of 2508 3652 powershell.exe 89 PID 3652 wrote to memory of 2508 3652 powershell.exe 89 PID 2508 wrote to memory of 3068 2508 csc.exe 90 PID 2508 wrote to memory of 3068 2508 csc.exe 90
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2020.10.29_CISA-MAR-10310246_Powershell_Backdoor\a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2v5dpart\2v5dpart.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA642.tmp" "c:\Users\Admin\AppData\Local\Temp\2v5dpart\CSCB5C897D2FA6941D680F1638EC2F2AAFB.TMP"3⤵PID:3068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ec4cc9cce8dc7b9054478c2703ab8a1b
SHA19be411abb606e0db7c340f0b7e58b9be17bcb4fd
SHA2567c9c08cf9d1de889888de9644347d5bc6fee0b7ce6a7b02c546f9ba9dd317aeb
SHA51200236aabf43730a7a057c468358242141f36474499f1bd0525c648fd61466ee7d4e77c472341b6a3b00aae89bf82fc02d33b692df82f03898d8294c84043c55e
-
Filesize
1KB
MD52aae7d71cad3e792033dbafeea0b4e45
SHA1f449eb635fafd7d1d9ee3c648c9796397098020b
SHA2569e19aafc09555cca714736447d1f2bf7632d853081d2e112f9e1ef6526247fd7
SHA512880f5318988f4de13493f4fce446aefbeaa93014f20ee16f5a50a3e2d4a35ab51cefa08e3cc140e195c01015fe1da96e38650606fb0d92bcede6cf527d768a12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
983B
MD51cb20d1a848fe50dd7df06e1d97b9b0c
SHA1451fecfdba392d30a91f216ec2c4982bc747fbe2
SHA25699504512eefc236fc84cfac8a4a0354762758c7557729fe8504177bafa8204c9
SHA5126ec9319e9bc32716b774e6e0aaf6a58404acd12eaf2e3e8225e24bfcf5a496cee8c7e0aa4b113093007d81fb9cd4ff0dea2c8c83d30f478a102d2e6a503e36a2
-
Filesize
369B
MD51f3baf52f9eb8c62f02cc854dc766a1c
SHA1b13914415050489b5b52a11d4e72772880100a9a
SHA256205ed9c0b96601ab5e0d33f3b5fa436d9c9d315b5213ec0d921fbdb21d9b6d37
SHA512b658d46154a0d95f0b9c4dfccd03e5a781bc0341306e9b92715cab74acc2b104f70395f5519030de5384086724b205648015258637d992affdaace37374d83f5
-
Filesize
652B
MD556b5839d813624a3b8dba730718abb84
SHA1f80509b64183cfe2980665af0d45314380b9f5c5
SHA2561af21cb62bdd53d0942edfa0de0765b3bdc745dc8bc834f52a1b59088b052688
SHA512f7e541a4bb63d53b9da6239d2834d45b0ad275e0ebec3d6a449668b2890ba0c65394f699ef152396707ad33c812e20a721f29e9d2e84e719d77846e5a8d0be99