Overview
overview
10Static
static
102020.10.29...3d.dll
windows7-x64
32020.10.29...3d.dll
windows10-2004-x64
32020.10.29...f8.ps1
windows7-x64
62020.10.29...f8.ps1
windows10-2004-x64
32020.10.29...05.dll
windows7-x64
12020.10.29...05.dll
windows10-2004-x64
12020.10.29...16.dll
windows7-x64
12020.10.29...16.dll
windows10-2004-x64
12020.10.29...42.ps1
windows7-x64
32020.10.29...42.ps1
windows10-2004-x64
3Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/02/2025, 10:11
Behavioral task
behavioral1
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8.ps1
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
Resource
win10v2004-20250217-en
General
-
Target
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
-
Size
1.2MB
-
MD5
0fd79f4c60593f6aae69ff22086c3bb0
-
SHA1
07f0692c856703d75a9946a0fbb3c0db03f7ac40
-
SHA256
a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
-
SHA512
28a0ae0a779aa88499f70cf97ef9db9482527017ea76ee2e469e4184684c4d4fb0559e50f1721e7e9d02655bee4cdf7b12c62a3d037ea10130121cfbb772e250
-
SSDEEP
24576:jarQlVyeHtWdf7PyJjwLKWp57+7fb0TLaB7VrE:jD567vs1tm
Malware Config
Signatures
-
pid Process 2904 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2904 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2808 2904 powershell.exe 31 PID 2904 wrote to memory of 2808 2904 powershell.exe 31 PID 2904 wrote to memory of 2808 2904 powershell.exe 31 PID 2808 wrote to memory of 2328 2808 csc.exe 32 PID 2808 wrote to memory of 2328 2808 csc.exe 32 PID 2808 wrote to memory of 2328 2808 csc.exe 32
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2020.10.29_CISA-MAR-10310246_Powershell_Backdoor\a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqhqyqta.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84BB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC849B.tmp"3⤵PID:2328
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53850238811ff10647d7ebd26ea9b98bf
SHA1fb8e3f0b09888925e07e784df15fafafea1b9dfd
SHA25688796ddc805a0445713514055560d3ffcd9e63fdc6e51afaea1c4df21d6f6e14
SHA512d00b6442e8750135d443f852ae51c71625ee558d64de501a341d6ba0352af0b5ecebb54b2ae687dce75196fffe4098af772dcee4837a46846d7b01e29f69545c
-
Filesize
4KB
MD5fb1c368ae372753becf962e08b43a933
SHA1731116e032fee099394afd2f6007e7ed3814f74e
SHA256def24e9a324d74206944f4d81bdf4ffa9137869552f3f794559c96fd00c4e8cb
SHA5129e46e5636414932528e7eef6bcc9309ea6c3832f3b3925b5604ae168549c392ee7505af44b697da643661b78eb789fcbfb747a2c7c09d760037b515e6c966f7c
-
Filesize
11KB
MD58e27bca2e926b16ee1a34130c7f1f7fb
SHA17a223604ee155414d6ec10cd13268900b3fcdad9
SHA256b35600ad8866e20a50fdc05746593e098e1cbc072502016b19e341a40df7665d
SHA512eccee9d30ce19c33e30967311cdcfe79dbbedded3bf3211e5ca133742859722fe06d6119af2a7ec3b77f9a006009c80b102601c7f2d72370242c43ecfe02f772
-
Filesize
652B
MD5218b737c3adf566f0ee6c3506aac01d8
SHA107fdafa87e515d15bdc69c3548a1a55f571368d2
SHA2568cde88f4b6c7f2a106cb25fde3220376c5808a0c34ede78862ca27f394fea424
SHA51296a90793db5061bf34d561aac001b71aef9643c7ac86d2cd863d430d7ed035d85281ad8baa63ef352938db6fca64abbfc867dfe23a70731b509940a27700dc11
-
Filesize
983B
MD51cb20d1a848fe50dd7df06e1d97b9b0c
SHA1451fecfdba392d30a91f216ec2c4982bc747fbe2
SHA25699504512eefc236fc84cfac8a4a0354762758c7557729fe8504177bafa8204c9
SHA5126ec9319e9bc32716b774e6e0aaf6a58404acd12eaf2e3e8225e24bfcf5a496cee8c7e0aa4b113093007d81fb9cd4ff0dea2c8c83d30f478a102d2e6a503e36a2
-
Filesize
309B
MD511c38affba93bc8253aee803765f124c
SHA1af706a25de2750778c672a2ca9347d66a6f1c7fb
SHA256fb9399cd74667feb7d515493c9700eee1c619df16e1b394c56bd778510f57961
SHA5120575c013e8ef608bd8252f30f78a9bb0c53b76af6d8db782033fc41c4592fca56afe18567914ad79aec810716696fbb716f348c90843f3b08e58fb16c1251231