3ddc41eaf0ca6504fb7971f90fb8fc3a3b90f3ba4cf4c8cff047b650cf1da9ba

General

Target

2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
Size

1.2MB
MD5

0fd79f4c60593f6aae69ff22086c3bb0
SHA1

07f0692c856703d75a9946a0fbb3c0db03f7ac40
SHA256

a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
SHA512

28a0ae0a779aa88499f70cf97ef9db9482527017ea76ee2e469e4184684c4d4fb0559e50f1721e7e9d02655bee4cdf7b12c62a3d037ea10130121cfbb772e250
SSDEEP

24576:jarQlVyeHtWdf7PyJjwLKWp57+7fb0TLaB7VrE:jD567vs1tm

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2904	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2808	2904	powershell.exe	31
PID 2904 wrote to memory of 2808	2904	powershell.exe	31
PID 2904 wrote to memory of 2808	2904	powershell.exe	31
PID 2808 wrote to memory of 2328	2808	csc.exe	32
PID 2808 wrote to memory of 2328	2808	csc.exe	32
PID 2808 wrote to memory of 2328	2808	csc.exe	32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2020.10.29_CISA-MAR-10310246_Powershell_Backdoor\a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqhqyqta.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84BB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC849B.tmp"
    3⤵
    PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES84BB.tmp

Filesize
1KB

MD5
3850238811ff10647d7ebd26ea9b98bf

SHA1
fb8e3f0b09888925e07e784df15fafafea1b9dfd

SHA256
88796ddc805a0445713514055560d3ffcd9e63fdc6e51afaea1c4df21d6f6e14

SHA512
d00b6442e8750135d443f852ae51c71625ee558d64de501a341d6ba0352af0b5ecebb54b2ae687dce75196fffe4098af772dcee4837a46846d7b01e29f69545c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqhqyqta.dll

Filesize
4KB

MD5
fb1c368ae372753becf962e08b43a933

SHA1
731116e032fee099394afd2f6007e7ed3814f74e

SHA256
def24e9a324d74206944f4d81bdf4ffa9137869552f3f794559c96fd00c4e8cb

SHA512
9e46e5636414932528e7eef6bcc9309ea6c3832f3b3925b5604ae168549c392ee7505af44b697da643661b78eb789fcbfb747a2c7c09d760037b515e6c966f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqhqyqta.pdb

Filesize
11KB

MD5
8e27bca2e926b16ee1a34130c7f1f7fb

SHA1
7a223604ee155414d6ec10cd13268900b3fcdad9

SHA256
b35600ad8866e20a50fdc05746593e098e1cbc072502016b19e341a40df7665d

SHA512
eccee9d30ce19c33e30967311cdcfe79dbbedded3bf3211e5ca133742859722fe06d6119af2a7ec3b77f9a006009c80b102601c7f2d72370242c43ecfe02f772

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC849B.tmp

Filesize
652B

MD5
218b737c3adf566f0ee6c3506aac01d8

SHA1
07fdafa87e515d15bdc69c3548a1a55f571368d2

SHA256
8cde88f4b6c7f2a106cb25fde3220376c5808a0c34ede78862ca27f394fea424

SHA512
96a90793db5061bf34d561aac001b71aef9643c7ac86d2cd863d430d7ed035d85281ad8baa63ef352938db6fca64abbfc867dfe23a70731b509940a27700dc11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqhqyqta.0.cs

Filesize
983B

MD5
1cb20d1a848fe50dd7df06e1d97b9b0c

SHA1
451fecfdba392d30a91f216ec2c4982bc747fbe2

SHA256
99504512eefc236fc84cfac8a4a0354762758c7557729fe8504177bafa8204c9

SHA512
6ec9319e9bc32716b774e6e0aaf6a58404acd12eaf2e3e8225e24bfcf5a496cee8c7e0aa4b113093007d81fb9cd4ff0dea2c8c83d30f478a102d2e6a503e36a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqhqyqta.cmdline

Filesize
309B

MD5
11c38affba93bc8253aee803765f124c

SHA1
af706a25de2750778c672a2ca9347d66a6f1c7fb

SHA256
fb9399cd74667feb7d515493c9700eee1c619df16e1b394c56bd778510f57961

SHA512
0575c013e8ef608bd8252f30f78a9bb0c53b76af6d8db782033fc41c4592fca56afe18567914ad79aec810716696fbb716f348c90843f3b08e58fb16c1251231

Download Submit
memory/2808-17-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2808-25-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2904-10-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2904-11-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2904-4-0x000007FEF651E000-0x000007FEF651F000-memory.dmp

Filesize
4KB

Download
memory/2904-9-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2904-8-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2904-7-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2904-5-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/2904-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2904-27-0x0000000002750000-0x0000000002758000-memory.dmp

Filesize
32KB

Download
memory/2904-30-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing