3ddc41eaf0ca6504fb7971f90fb8fc3a3b90f3ba4cf4c8cff047b650cf1da9ba

General

Target

2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
Size

4.1MB
MD5

65419948186842f8f3ef07cafb71f59a
SHA1

93537b0814177e2101663306aa17332b9303e08a
SHA256

134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8
SHA512

83d093c6febacb11fcde57fee98c2385f628e5cd3629bfabd0f9e4d2c5de18c6336b3d3aff8081b06a827e742876d19ae370e81890c247daac73d4f8b7ea5f90
SSDEEP

24576:+vq2EYNg0gX792UHDoSe9Ov2a8p+JnHZUoWYWUpcfm3WuPhu/aqJOFKs4Wuw054o:Drr9q0v4ubJmg4OFuwkOM5NZihxs

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3080	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3080	powershell.exe
3080	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4888	3080	powershell.exe	90
PID 3080 wrote to memory of 4888	3080	powershell.exe	90
PID 4888 wrote to memory of 2080	4888	csc.exe	91
PID 4888 wrote to memory of 2080	4888	csc.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2020.10.29_CISA-MAR-10310246_Powershell_Backdoor\134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\okhzgya2\okhzgya2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF24F.tmp" "c:\Users\Admin\AppData\Local\Temp\okhzgya2\CSC987F07CF87FD4A68B1763EEE9C64439.TMP"
    3⤵
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF24F.tmp

Filesize
1KB

MD5
26835a81104684f33a3b82c90f90bca2

SHA1
29ddf0dbe03eaeba7da11e4c32baf0f78f60e576

SHA256
b8e4ed0f6750e0f931188bf6cb2f3f40ed15b41f3b211189286d00955d09f51c

SHA512
0a631cff93d93bb1081a54e5951b1340254f1ba30db3e4e3ebc461464384ab1c0cfde93610953e000ed9c1a638e6d5f92c02fffc458af8e48b0dcc8dfe924dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmvwmzsx.cbe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\okhzgya2\okhzgya2.dll

Filesize
3KB

MD5
e23e557aad04270b1186d38801e95532

SHA1
3d3f1b10f5183b4babaa86adeec76896b8a6a3b4

SHA256
2eecc946b5aa2b1101e6d37130e06a3f81e47e0e7e37af9b8dd252f56e9d9011

SHA512
f0bbaf6fb4f3cd43ed11cb4b4711439e7d3894fcc82191707a420b26f5898b95c7e9928617957b5a4a5f902ea5a9ba6b58f03819bad05f109168da54655bd4e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okhzgya2\CSC987F07CF87FD4A68B1763EEE9C64439.TMP

Filesize
652B

MD5
110f6ed7ed635a4271fdc62655c0d33c

SHA1
e8d09fcfdbdc4b79c5cc1eaaa2999186960d826c

SHA256
931073e859ed3a88308e551d34d94601c887484b4a1950daff631c0b7c8153e9

SHA512
038a2ede43244ddc6f0f48009976fdd8a2517feef72519d758f57083147fafb12fb0ac729911aace7874721401084a357d8ce51f59ad635c457749f9dfe910e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okhzgya2\okhzgya2.0.cs

Filesize
267B

MD5
9a5354e267b72f1a15a5d2e66a2e0788

SHA1
2db1d1a809659312bf45f91d41777360526c0a67

SHA256
154e4bdda09648d3e855b1e47488b00c323787125351556787f83c95c441f724

SHA512
4a47a58d75da136da493821b3212c15e53ea13204f35f9fcbaf6177356aba5b2ea0c60071daae93dd3d00c395c7dae5f559117dc851ea4a5d8612b0088ec1f01

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\okhzgya2\okhzgya2.cmdline

Filesize
369B

MD5
5528d8445e32bc54fc7a360ac367e6bf

SHA1
4d9a2747dae52340491d99496544ca64babfdfbf

SHA256
1dbabf811a722190e757b92d95d586118b0f154f929faf0a2e12d9603096c7a4

SHA512
1f0cb963ebcfc2b0866f62c1dc4e3e89480acfae4029b7ef3510e8312d2e33e8081c75aa4e5184339e4f95dac9ac223bcc64680449d3d76ca32478275f7aff5f

Download Submit
memory/3080-0-0x00007FF9CF0F3000-0x00007FF9CF0F5000-memory.dmp

Filesize
8KB

Download
memory/3080-13-0x00007FF9CF0F0000-0x00007FF9CFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-12-0x00007FF9CF0F0000-0x00007FF9CFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-11-0x00007FF9CF0F0000-0x00007FF9CFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-26-0x000002636A320000-0x000002636A328000-memory.dmp

Filesize
32KB

Download
memory/3080-3-0x0000026369F80000-0x0000026369FA2000-memory.dmp

Filesize
136KB

Download
memory/3080-28-0x00007FF9CF0F0000-0x00007FF9CFBB1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-31-0x00007FF9CF0F0000-0x00007FF9CFBB1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing