3ddc41eaf0ca6504fb7971f90fb8fc3a3b90f3ba4cf4c8cff047b650cf1da9ba

General

Target

2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
Size

1.2MB
MD5

0fd79f4c60593f6aae69ff22086c3bb0
SHA1

07f0692c856703d75a9946a0fbb3c0db03f7ac40
SHA256

a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
SHA512

28a0ae0a779aa88499f70cf97ef9db9482527017ea76ee2e469e4184684c4d4fb0559e50f1721e7e9d02655bee4cdf7b12c62a3d037ea10130121cfbb772e250
SSDEEP

24576:jarQlVyeHtWdf7PyJjwLKWp57+7fb0TLaB7VrE:jD567vs1tm

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2248	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2248	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2816	2248	powershell.exe	30
PID 2248 wrote to memory of 2816	2248	powershell.exe	30
PID 2248 wrote to memory of 2816	2248	powershell.exe	30
PID 2816 wrote to memory of 2356	2816	csc.exe	31
PID 2816 wrote to memory of 2356	2816	csc.exe	31
PID 2816 wrote to memory of 2356	2816	csc.exe	31

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2020.10.29_CISA-MAR-10310246_Powershell_Backdoor\a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymbj1y7x.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC85F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC84E.tmp"
    3⤵
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC85F.tmp

Filesize
1KB

MD5
76a29809432caabf84ce2a1fbbc6ed47

SHA1
789646c59cecaf9c6ea5354d6140c82854ba5fff

SHA256
f3d090b7a43f4b0fe8b9acc8c06f8b84227737a87526e6271b8bb6031e83e705

SHA512
dab1595aea1b37d1544db7ecfae8bcc87f2843eaf31e03ce9f9b7e9f700adffb1fa180fc3250787e8d9f987992b97a407f2cefbf62f83b022f78373283c1cafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymbj1y7x.dll

Filesize
4KB

MD5
c63a6dc6bc57f80b93f8119709ee1b51

SHA1
dc2f5ddaaed29e07b1bae956e18a0dd71ff6ab7c

SHA256
15cb1c2634bdde44d73bf87e139a891957ea06d44d2f8c0cce22209b64e56335

SHA512
817af0f252a1acd158a2d245f7d84a85a460c6513ad5fd575236067240e2b9d140e1ef73a1478eea7532c1c54750f1e50af08007b62be6499a54382f1e47dbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymbj1y7x.pdb

Filesize
11KB

MD5
4988210f2854b432e112a5f301eabc8c

SHA1
5bb2e485adcfcb6f20335928b9d1f0369ca33275

SHA256
7bd15e8653add3874d1067e908c3be6c9cd774f2c07ea6497215a820bd46590d

SHA512
8ceb2f76b01ace399eb7ddeccf008a125db9771c4b1f07f891e0d3230aa77cf12f37d214198e2ca24e13936eda7aec04d334b863c54db7d6d5ff6b2da00817b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC84E.tmp

Filesize
652B

MD5
93597ef10796674b140c863227cc2e3b

SHA1
70aa70b49a821918607415233102a4ed47445ed2

SHA256
ab86eef2b0e4ecc21cc02132a160e03742825f2cb0a5119175524bf1fe37b9d9

SHA512
9c0dc5e610de58df6202d04e4f6034a5758e2f5d6508bc266bf5ddb9929b9170d59d1153a06b85abddcaa85feb3735f45b7ebc7f28c4d8bdd1c66644204d83a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymbj1y7x.0.cs

Filesize
983B

MD5
1cb20d1a848fe50dd7df06e1d97b9b0c

SHA1
451fecfdba392d30a91f216ec2c4982bc747fbe2

SHA256
99504512eefc236fc84cfac8a4a0354762758c7557729fe8504177bafa8204c9

SHA512
6ec9319e9bc32716b774e6e0aaf6a58404acd12eaf2e3e8225e24bfcf5a496cee8c7e0aa4b113093007d81fb9cd4ff0dea2c8c83d30f478a102d2e6a503e36a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ymbj1y7x.cmdline

Filesize
309B

MD5
ca03b44cb546ca6c576cc4fba2ce790a

SHA1
eae7d68e65efe5149f623724533a783d833a3dde

SHA256
2bdf44f9ee42ec0f004309627f257c7a297b4b728a9ff426e6943589af63b5bd

SHA512
c095e210e2719ea6a7c17e8b169a7ff3d7115d11f96baee128c448a9a350722b702a03d343eb4f267f190d50ade35b67bc9835f4be814124284e3ff1844a5cdf

Download Submit
memory/2248-8-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-12-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-15-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-4-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/2248-7-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-6-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2248-26-0x000000001B210000-0x000000001B218000-memory.dmp

Filesize
32KB

Download
memory/2248-5-0x000000001B2A0000-0x000000001B582000-memory.dmp

Filesize
2.9MB

Download
memory/2248-29-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-23-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-24-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing