Overview
overview
10Static
static
102020.10.29...3d.dll
windows7-x64
32020.10.29...3d.dll
windows10-2004-x64
32020.10.29...f8.ps1
windows7-x64
62020.10.29...f8.ps1
windows10-2004-x64
32020.10.29...05.dll
windows7-x64
12020.10.29...05.dll
windows10-2004-x64
12020.10.29...16.dll
windows7-x64
12020.10.29...16.dll
windows10-2004-x64
12020.10.29...42.ps1
windows7-x64
32020.10.29...42.ps1
windows10-2004-x64
3Analysis
-
max time kernel
14s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/02/2025, 10:04
Behavioral task
behavioral1
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405.dll
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
Resource
win10v2004-20250217-en
General
-
Target
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
-
Size
1.2MB
-
MD5
0fd79f4c60593f6aae69ff22086c3bb0
-
SHA1
07f0692c856703d75a9946a0fbb3c0db03f7ac40
-
SHA256
a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
-
SHA512
28a0ae0a779aa88499f70cf97ef9db9482527017ea76ee2e469e4184684c4d4fb0559e50f1721e7e9d02655bee4cdf7b12c62a3d037ea10130121cfbb772e250
-
SSDEEP
24576:jarQlVyeHtWdf7PyJjwLKWp57+7fb0TLaB7VrE:jD567vs1tm
Malware Config
Signatures
-
pid Process 2248 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2248 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2248 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2816 2248 powershell.exe 30 PID 2248 wrote to memory of 2816 2248 powershell.exe 30 PID 2248 wrote to memory of 2816 2248 powershell.exe 30 PID 2816 wrote to memory of 2356 2816 csc.exe 31 PID 2816 wrote to memory of 2356 2816 csc.exe 31 PID 2816 wrote to memory of 2356 2816 csc.exe 31
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2020.10.29_CISA-MAR-10310246_Powershell_Backdoor\a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymbj1y7x.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC85F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC84E.tmp"3⤵PID:2356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD576a29809432caabf84ce2a1fbbc6ed47
SHA1789646c59cecaf9c6ea5354d6140c82854ba5fff
SHA256f3d090b7a43f4b0fe8b9acc8c06f8b84227737a87526e6271b8bb6031e83e705
SHA512dab1595aea1b37d1544db7ecfae8bcc87f2843eaf31e03ce9f9b7e9f700adffb1fa180fc3250787e8d9f987992b97a407f2cefbf62f83b022f78373283c1cafa
-
Filesize
4KB
MD5c63a6dc6bc57f80b93f8119709ee1b51
SHA1dc2f5ddaaed29e07b1bae956e18a0dd71ff6ab7c
SHA25615cb1c2634bdde44d73bf87e139a891957ea06d44d2f8c0cce22209b64e56335
SHA512817af0f252a1acd158a2d245f7d84a85a460c6513ad5fd575236067240e2b9d140e1ef73a1478eea7532c1c54750f1e50af08007b62be6499a54382f1e47dbcc
-
Filesize
11KB
MD54988210f2854b432e112a5f301eabc8c
SHA15bb2e485adcfcb6f20335928b9d1f0369ca33275
SHA2567bd15e8653add3874d1067e908c3be6c9cd774f2c07ea6497215a820bd46590d
SHA5128ceb2f76b01ace399eb7ddeccf008a125db9771c4b1f07f891e0d3230aa77cf12f37d214198e2ca24e13936eda7aec04d334b863c54db7d6d5ff6b2da00817b1
-
Filesize
652B
MD593597ef10796674b140c863227cc2e3b
SHA170aa70b49a821918607415233102a4ed47445ed2
SHA256ab86eef2b0e4ecc21cc02132a160e03742825f2cb0a5119175524bf1fe37b9d9
SHA5129c0dc5e610de58df6202d04e4f6034a5758e2f5d6508bc266bf5ddb9929b9170d59d1153a06b85abddcaa85feb3735f45b7ebc7f28c4d8bdd1c66644204d83a8
-
Filesize
983B
MD51cb20d1a848fe50dd7df06e1d97b9b0c
SHA1451fecfdba392d30a91f216ec2c4982bc747fbe2
SHA25699504512eefc236fc84cfac8a4a0354762758c7557729fe8504177bafa8204c9
SHA5126ec9319e9bc32716b774e6e0aaf6a58404acd12eaf2e3e8225e24bfcf5a496cee8c7e0aa4b113093007d81fb9cd4ff0dea2c8c83d30f478a102d2e6a503e36a2
-
Filesize
309B
MD5ca03b44cb546ca6c576cc4fba2ce790a
SHA1eae7d68e65efe5149f623724533a783d833a3dde
SHA2562bdf44f9ee42ec0f004309627f257c7a297b4b728a9ff426e6943589af63b5bd
SHA512c095e210e2719ea6a7c17e8b169a7ff3d7115d11f96baee128c448a9a350722b702a03d343eb4f267f190d50ade35b67bc9835f4be814124284e3ff1844a5cdf