3ddc41eaf0ca6504fb7971f90fb8fc3a3b90f3ba4cf4c8cff047b650cf1da9ba

General

Target

2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
Size

4.1MB
MD5

65419948186842f8f3ef07cafb71f59a
SHA1

93537b0814177e2101663306aa17332b9303e08a
SHA256

134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8
SHA512

83d093c6febacb11fcde57fee98c2385f628e5cd3629bfabd0f9e4d2c5de18c6336b3d3aff8081b06a827e742876d19ae370e81890c247daac73d4f8b7ea5f90
SSDEEP

24576:+vq2EYNg0gX792UHDoSe9Ov2a8p+JnHZUoWYWUpcfm3WuPhu/aqJOFKs4Wuw054o:Drr9q0v4ubJmg4OFuwkOM5NZihxs

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1532	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 3180	1532	powershell.exe	89
PID 1532 wrote to memory of 3180	1532	powershell.exe	89
PID 3180 wrote to memory of 3532	3180	csc.exe	91
PID 3180 wrote to memory of 3532	3180	csc.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2020.10.29_CISA-MAR-10310246_Powershell_Backdoor\134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fg0b51b\3fg0b51b.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2D7.tmp" "c:\Users\Admin\AppData\Local\Temp\3fg0b51b\CSCAFCDA439A2F1485EA1C68C064A023B4.TMP"
    3⤵
    PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3fg0b51b\3fg0b51b.dll

Filesize
3KB

MD5
bcd1d0850385a37244e88f7cfa8edf5d

SHA1
df59b50503d85c5c8a94ca4b08244ce7c84d7a34

SHA256
2fe6af31748253835b588fffa9f0d552cddffa90614cfae91896c1b6ab420eb2

SHA512
93988e0be93f2c76fb772c3ef2580b8b97f6f25c192a862b90c4c5bb1df43538df9f832320ff590a87d5a5f454cb66519ab3ce6225a8063c07d269c88f1c6359

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2D7.tmp

Filesize
1KB

MD5
1b93a18f400cd5ff51f2834c16aa29c9

SHA1
b9943e81693b1d662885367abe6a5aa4ef95e19b

SHA256
36f083f6453a6b97c74ad4323d685c10382f3d0c718e36b104ad61bee2126cd8

SHA512
d9cd5f4d334e27e186357a83ac07b556edf9e69d7bae6098199c831cf33f7a53747eb4f6b0d50a86fe3afd893991dc23e1f1193046084279a9bfe2d2677a494f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnzlzezt.yww.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fg0b51b\3fg0b51b.0.cs

Filesize
267B

MD5
9a5354e267b72f1a15a5d2e66a2e0788

SHA1
2db1d1a809659312bf45f91d41777360526c0a67

SHA256
154e4bdda09648d3e855b1e47488b00c323787125351556787f83c95c441f724

SHA512
4a47a58d75da136da493821b3212c15e53ea13204f35f9fcbaf6177356aba5b2ea0c60071daae93dd3d00c395c7dae5f559117dc851ea4a5d8612b0088ec1f01

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fg0b51b\3fg0b51b.cmdline

Filesize
369B

MD5
69c16565cbb59a12fc7f28d2e66d4763

SHA1
523acd399ab8c5a5dc5a7d449282eb2e06437374

SHA256
7ce2f05acac1892ee73a818969338a6d3952fb32b857119c5aa5c89c5ee05c60

SHA512
dde9d7d00435af05f99d58952b3ae3b6daa8e57d25883370cc1ddce63ee90abf84959c6a066f5a109c47c5e7fdeccd5e902b523991daeaf2e2e6a5b901c67b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fg0b51b\CSCAFCDA439A2F1485EA1C68C064A023B4.TMP

Filesize
652B

MD5
236d2bd2946d0f016c96653ced7886c0

SHA1
bf4fd88e32245204082a2cf254b79d68bd039950

SHA256
25f9ddbd87cbb900d235fe7ea185b13261fd241b6cd091191858bb8853992444

SHA512
d1fcbde3714ed4c42c246e327bc9bf93517f79d1de7fc59053c9302f72c43ce8b26e179817c633463046c663185d146e94143515dd9fa2288576ab6a9afa4dcb

Download Submit
memory/1532-13-0x00007FFB79770000-0x00007FFB7A231000-memory.dmp

Filesize
10.8MB

Download
memory/1532-0-0x00007FFB79773000-0x00007FFB79775000-memory.dmp

Filesize
8KB

Download
memory/1532-12-0x00007FFB79770000-0x00007FFB7A231000-memory.dmp

Filesize
10.8MB

Download
memory/1532-11-0x00007FFB79770000-0x00007FFB7A231000-memory.dmp

Filesize
10.8MB

Download
memory/1532-26-0x000002D1FC910000-0x000002D1FC918000-memory.dmp

Filesize
32KB

Download
memory/1532-7-0x000002D1FC520000-0x000002D1FC542000-memory.dmp

Filesize
136KB

Download
memory/1532-28-0x00007FFB79770000-0x00007FFB7A231000-memory.dmp

Filesize
10.8MB

Download
memory/1532-31-0x00007FFB79770000-0x00007FFB7A231000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing